Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3SgC5vaFEg.exe

Overview

General Information

Sample name:3SgC5vaFEg.exe
renamed because original name is a hash value
Original sample name:e87a5cb662913f9eb7a91ba0879b534da9069f26e3176d9418b16b39eef6f9fc.exe
Analysis ID:1633521
MD5:8c528970280c14531dfa6a13c38e116b
SHA1:b036e0ec16cd82373909a75761f23aef94361796
SHA256:e87a5cb662913f9eb7a91ba0879b534da9069f26e3176d9418b16b39eef6f9fc
Tags:AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 3SgC5vaFEg.exe (PID: 7656 cmdline: "C:\Users\user\Desktop\3SgC5vaFEg.exe" MD5: 8C528970280C14531DFA6A13C38E116B)
    • powershell.exe (PID: 7784 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SgC5vaFEg.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7856 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eJFCxXVOH.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 1140 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7912 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eJFCxXVOH" /XML "C:\Users\user\AppData\Local\Temp\tmp4C9B.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • 3SgC5vaFEg.exe (PID: 8064 cmdline: "C:\Users\user\Desktop\3SgC5vaFEg.exe" MD5: 8C528970280C14531DFA6A13C38E116B)
  • eJFCxXVOH.exe (PID: 7216 cmdline: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe MD5: 8C528970280C14531DFA6A13C38E116B)
    • schtasks.exe (PID: 5792 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eJFCxXVOH" /XML "C:\Users\user\AppData\Local\Temp\tmp6514.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • eJFCxXVOH.exe (PID: 2252 cmdline: "C:\Users\user\AppData\Roaming\eJFCxXVOH.exe" MD5: 8C528970280C14531DFA6A13C38E116B)
    • eJFCxXVOH.exe (PID: 7296 cmdline: "C:\Users\user\AppData\Roaming\eJFCxXVOH.exe" MD5: 8C528970280C14531DFA6A13C38E116B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "web@iaa-airferight.com", "Password": "webmaster"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.2550406752.00000000032BC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000A.00000002.1411321149.00000000049CA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000A.00000002.1411321149.00000000049CA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000009.00000002.2549778245.0000000002A5C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000F.00000002.2550406752.0000000003291000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 20 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            15.2.eJFCxXVOH.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
            • 0x334ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
            • 0x33561:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
            • 0x335eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
            • 0x3367d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
            • 0x336e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
            • 0x33759:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
            • 0x337ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
            • 0x3387f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
            1.2.3SgC5vaFEg.exe.45fb050.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              1.2.3SgC5vaFEg.exe.45fb050.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                1.2.3SgC5vaFEg.exe.45fb050.3.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x316ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x31761:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x317eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x3187d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x318e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31959:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x319ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a7f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                10.2.eJFCxXVOH.exe.3e29970.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 14 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SgC5vaFEg.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SgC5vaFEg.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\3SgC5vaFEg.exe", ParentImage: C:\Users\user\Desktop\3SgC5vaFEg.exe, ParentProcessId: 7656, ParentProcessName: 3SgC5vaFEg.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SgC5vaFEg.exe", ProcessId: 7784, ProcessName: powershell.exe
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SgC5vaFEg.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SgC5vaFEg.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\3SgC5vaFEg.exe", ParentImage: C:\Users\user\Desktop\3SgC5vaFEg.exe, ParentProcessId: 7656, ParentProcessName: 3SgC5vaFEg.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SgC5vaFEg.exe", ProcessId: 7784, ProcessName: powershell.exe
                  Sigma detected: Suspicious Add Scheduled Task Parent
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eJFCxXVOH" /XML "C:\Users\user\AppData\Local\Temp\tmp6514.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eJFCxXVOH" /XML "C:\Users\user\AppData\Local\Temp\tmp6514.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe, ParentImage: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe, ParentProcessId: 7216, ParentProcessName: eJFCxXVOH.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eJFCxXVOH" /XML "C:\Users\user\AppData\Local\Temp\tmp6514.tmp", ProcessId: 5792, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Outbound SMTP Connections
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\Desktop\3SgC5vaFEg.exe, Initiated: true, ProcessId: 8064, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49695
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eJFCxXVOH" /XML "C:\Users\user\AppData\Local\Temp\tmp4C9B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eJFCxXVOH" /XML "C:\Users\user\AppData\Local\Temp\tmp4C9B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\3SgC5vaFEg.exe", ParentImage: C:\Users\user\Desktop\3SgC5vaFEg.exe, ParentProcessId: 7656, ParentProcessName: 3SgC5vaFEg.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eJFCxXVOH" /XML "C:\Users\user\AppData\Local\Temp\tmp4C9B.tmp", ProcessId: 7912, ProcessName: schtasks.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SgC5vaFEg.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SgC5vaFEg.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\3SgC5vaFEg.exe", ParentImage: C:\Users\user\Desktop\3SgC5vaFEg.exe, ParentProcessId: 7656, ParentProcessName: 3SgC5vaFEg.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SgC5vaFEg.exe", ProcessId: 7784, ProcessName: powershell.exe

                  Persistence and Installation Behavior

                  barindex
                  Sigma detected: Scheduled temp file as task from temp location
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eJFCxXVOH" /XML "C:\Users\user\AppData\Local\Temp\tmp4C9B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eJFCxXVOH" /XML "C:\Users\user\AppData\Local\Temp\tmp4C9B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\3SgC5vaFEg.exe", ParentImage: C:\Users\user\Desktop\3SgC5vaFEg.exe, ParentProcessId: 7656, ParentProcessName: 3SgC5vaFEg.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eJFCxXVOH" /XML "C:\Users\user\AppData\Local\Temp\tmp4C9B.tmp", ProcessId: 7912, ProcessName: schtasks.exe

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: 3SgC5vaFEg.exeAvira: detected
                  Antivirus detection for URL or domain
                  Source: http://mail.iaa-airferight.comAvira URL Cloud: Label: phishing
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeAvira: detection malicious, Label: TR/Agent_AGen.aiscp
                  Found malware configuration
                  Source: 10.2.eJFCxXVOH.exe.3e29970.0.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "web@iaa-airferight.com", "Password": "webmaster"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeReversingLabs: Detection: 68%
                  Multi AV Scanner detection for submitted file
                  Source: 3SgC5vaFEg.exeVirustotal: Detection: 67%Perma Link
                  Source: 3SgC5vaFEg.exeReversingLabs: Detection: 68%
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                  Source: 3SgC5vaFEg.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49694 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49696 version: TLS 1.2
                  Source: 3SgC5vaFEg.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: WIS.pdbSHA256 source: 3SgC5vaFEg.exe, eJFCxXVOH.exe.1.dr
                  Source: Binary string: WIS.pdb source: 3SgC5vaFEg.exe, eJFCxXVOH.exe.1.dr
                  Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                  Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                  Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                  Source: Joe Sandbox ViewASN Name: ASLAGIDKOM-NETUA ASLAGIDKOM-NETUA
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: global trafficTCP traffic: 192.168.2.6:49695 -> 46.175.148.58:25
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: global trafficDNS traffic detected: DNS query: mail.iaa-airferight.com
                  Source: 3SgC5vaFEg.exe, 00000009.00000002.2549778245.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, eJFCxXVOH.exe, 0000000F.00000002.2550406752.00000000032BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                  Source: 3SgC5vaFEg.exe, 00000001.00000002.1323046053.0000000002D45000.00000004.00000800.00020000.00000000.sdmp, 3SgC5vaFEg.exe, 00000009.00000002.2549778245.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, eJFCxXVOH.exe, 0000000A.00000002.1408668604.0000000003067000.00000004.00000800.00020000.00000000.sdmp, eJFCxXVOH.exe, 0000000F.00000002.2550406752.0000000003241000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: 3SgC5vaFEg.exe, 00000001.00000002.1326864398.0000000004572000.00000004.00000800.00020000.00000000.sdmp, 3SgC5vaFEg.exe, 00000001.00000002.1326864398.0000000004519000.00000004.00000800.00020000.00000000.sdmp, 3SgC5vaFEg.exe, 00000009.00000002.2546306225.0000000000436000.00000040.00000400.00020000.00000000.sdmp, eJFCxXVOH.exe, 0000000A.00000002.1411321149.00000000049CA000.00000004.00000800.00020000.00000000.sdmp, eJFCxXVOH.exe, 0000000A.00000002.1411321149.0000000003E29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: 3SgC5vaFEg.exe, 00000001.00000002.1326864398.0000000004572000.00000004.00000800.00020000.00000000.sdmp, 3SgC5vaFEg.exe, 00000001.00000002.1326864398.0000000004519000.00000004.00000800.00020000.00000000.sdmp, 3SgC5vaFEg.exe, 00000009.00000002.2549778245.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, 3SgC5vaFEg.exe, 00000009.00000002.2546306225.0000000000434000.00000040.00000400.00020000.00000000.sdmp, eJFCxXVOH.exe, 0000000A.00000002.1411321149.00000000049CA000.00000004.00000800.00020000.00000000.sdmp, eJFCxXVOH.exe, 0000000A.00000002.1411321149.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, eJFCxXVOH.exe, 0000000F.00000002.2550406752.0000000003241000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: 3SgC5vaFEg.exe, 00000009.00000002.2549778245.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, eJFCxXVOH.exe, 0000000F.00000002.2550406752.0000000003241000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: 3SgC5vaFEg.exe, 00000009.00000002.2549778245.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, eJFCxXVOH.exe, 0000000F.00000002.2550406752.0000000003241000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49694 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49696 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 1.2.3SgC5vaFEg.exe.45fb050.3.raw.unpack, abAX9N.cs.Net Code: OPnJT
                  Source: 1.2.3SgC5vaFEg.exe.4519990.2.raw.unpack, abAX9N.cs.Net Code: OPnJT

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 15.2.eJFCxXVOH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 1.2.3SgC5vaFEg.exe.45fb050.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 10.2.eJFCxXVOH.exe.3e29970.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 1.2.3SgC5vaFEg.exe.4519990.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 10.2.eJFCxXVOH.exe.3e29970.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 1.2.3SgC5vaFEg.exe.4519990.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 1.2.3SgC5vaFEg.exe.45fb050.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 1_2_00F4D6CC1_2_00F4D6CC
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 1_2_06FEC1201_2_06FEC120
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 1_2_06FEAA481_2_06FEAA48
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 1_2_06FEE6301_2_06FEE630
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 1_2_06FEF5A01_2_06FEF5A0
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 1_2_06FEF5901_2_06FEF590
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 1_2_06FEF2B81_2_06FEF2B8
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 1_2_06FEF2A81_2_06FEF2A8
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 9_2_00F1E6A19_2_00F1E6A1
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 9_2_00F14A989_2_00F14A98
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 9_2_00F13E809_2_00F13E80
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 9_2_00F141C89_2_00F141C8
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 9_2_00F1A9609_2_00F1A960
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 9_2_00F1AA1F9_2_00F1AA1F
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 9_2_06687D689_2_06687D68
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 9_2_066865E09_2_066865E0
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 9_2_066855889_2_06685588
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 9_2_0668B20F9_2_0668B20F
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 9_2_066830409_2_06683040
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 9_2_066876889_2_06687688
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 9_2_06685CD39_2_06685CD3
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 9_2_0668E3889_2_0668E388
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 9_2_066800409_2_06680040
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 9_2_066800069_2_06680006
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeCode function: 10_2_0139D6CC10_2_0139D6CC
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeCode function: 15_2_0157E6A115_2_0157E6A1
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeCode function: 15_2_0157A94F15_2_0157A94F
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeCode function: 15_2_01574A9815_2_01574A98
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeCode function: 15_2_01573E8015_2_01573E80
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeCode function: 15_2_015741C815_2_015741C8
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeCode function: 15_2_06F865E015_2_06F865E0
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeCode function: 15_2_06F8558815_2_06F85588
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeCode function: 15_2_06F87D6815_2_06F87D68
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeCode function: 15_2_06F8B20F15_2_06F8B20F
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeCode function: 15_2_06F8304015_2_06F83040
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeCode function: 15_2_06F8768815_2_06F87688
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeCode function: 15_2_06F85CD315_2_06F85CD3
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeCode function: 15_2_06F8E38815_2_06F8E388
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeCode function: 15_2_06F8234915_2_06F82349
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeCode function: 15_2_06F8004015_2_06F80040
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeCode function: 15_2_06F8000615_2_06F80006
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeCode function: 15_2_06F801AC15_2_06F801AC
                  Source: 3SgC5vaFEg.exe, 00000001.00000002.1332997673.0000000007A20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 3SgC5vaFEg.exe
                  Source: 3SgC5vaFEg.exe, 00000001.00000002.1332219328.0000000006EB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs 3SgC5vaFEg.exe
                  Source: 3SgC5vaFEg.exe, 00000001.00000002.1326864398.0000000004572000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs 3SgC5vaFEg.exe
                  Source: 3SgC5vaFEg.exe, 00000001.00000002.1326864398.0000000004572000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 3SgC5vaFEg.exe
                  Source: 3SgC5vaFEg.exe, 00000001.00000002.1326864398.0000000004519000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs 3SgC5vaFEg.exe
                  Source: 3SgC5vaFEg.exe, 00000001.00000002.1323046053.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs 3SgC5vaFEg.exe
                  Source: 3SgC5vaFEg.exe, 00000001.00000000.1288985723.00000000008AC000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenameWIS.exeF vs 3SgC5vaFEg.exe
                  Source: 3SgC5vaFEg.exe, 00000001.00000002.1319503800.0000000000FAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 3SgC5vaFEg.exe
                  Source: 3SgC5vaFEg.exe, 00000009.00000002.2546306225.000000000043A000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs 3SgC5vaFEg.exe
                  Source: 3SgC5vaFEg.exe, 00000009.00000002.2547097654.0000000000AF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 3SgC5vaFEg.exe
                  Source: 3SgC5vaFEg.exeBinary or memory string: OriginalFilenameWIS.exeF vs 3SgC5vaFEg.exe
                  Source: 3SgC5vaFEg.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 15.2.eJFCxXVOH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 1.2.3SgC5vaFEg.exe.45fb050.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 10.2.eJFCxXVOH.exe.3e29970.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 1.2.3SgC5vaFEg.exe.4519990.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 10.2.eJFCxXVOH.exe.3e29970.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 1.2.3SgC5vaFEg.exe.4519990.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 1.2.3SgC5vaFEg.exe.45fb050.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 3SgC5vaFEg.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: eJFCxXVOH.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 1.2.3SgC5vaFEg.exe.45fb050.3.raw.unpack, RsYAkkzVoy.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 1.2.3SgC5vaFEg.exe.45fb050.3.raw.unpack, Kqqzixk.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 1.2.3SgC5vaFEg.exe.45fb050.3.raw.unpack, xROdzGigX.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 1.2.3SgC5vaFEg.exe.45fb050.3.raw.unpack, ywes.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 1.2.3SgC5vaFEg.exe.45fb050.3.raw.unpack, iPVW0zV.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                  Source: 1.2.3SgC5vaFEg.exe.45fb050.3.raw.unpack, 1Pi9sgbHwoV.csCryptographic APIs: 'CreateDecryptor'
                  Source: 1.2.3SgC5vaFEg.exe.45fb050.3.raw.unpack, YUgDfWK2g4.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 1.2.3SgC5vaFEg.exe.45fb050.3.raw.unpack, YUgDfWK2g4.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 1.2.3SgC5vaFEg.exe.45fb050.3.raw.unpack, MarWtcu.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 1.2.3SgC5vaFEg.exe.45fb050.3.raw.unpack, MarWtcu.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 1.2.3SgC5vaFEg.exe.45fb050.3.raw.unpack, MarWtcu.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 1.2.3SgC5vaFEg.exe.45fb050.3.raw.unpack, MarWtcu.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 1.2.3SgC5vaFEg.exe.4800d70.0.raw.unpack, QW3g5RZ0smOJDGWRZG.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 1.2.3SgC5vaFEg.exe.4800d70.0.raw.unpack, QW3g5RZ0smOJDGWRZG.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 1.2.3SgC5vaFEg.exe.7a20000.5.raw.unpack, QW3g5RZ0smOJDGWRZG.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 1.2.3SgC5vaFEg.exe.7a20000.5.raw.unpack, QW3g5RZ0smOJDGWRZG.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 1.2.3SgC5vaFEg.exe.4782150.1.raw.unpack, QW3g5RZ0smOJDGWRZG.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 1.2.3SgC5vaFEg.exe.4782150.1.raw.unpack, QW3g5RZ0smOJDGWRZG.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 1.2.3SgC5vaFEg.exe.4782150.1.raw.unpack, n8Aa00PkBrZ1l0TYfs.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 1.2.3SgC5vaFEg.exe.4782150.1.raw.unpack, n8Aa00PkBrZ1l0TYfs.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 1.2.3SgC5vaFEg.exe.4782150.1.raw.unpack, n8Aa00PkBrZ1l0TYfs.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: 1.2.3SgC5vaFEg.exe.4800d70.0.raw.unpack, n8Aa00PkBrZ1l0TYfs.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 1.2.3SgC5vaFEg.exe.4800d70.0.raw.unpack, n8Aa00PkBrZ1l0TYfs.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 1.2.3SgC5vaFEg.exe.4800d70.0.raw.unpack, n8Aa00PkBrZ1l0TYfs.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: 1.2.3SgC5vaFEg.exe.7a20000.5.raw.unpack, n8Aa00PkBrZ1l0TYfs.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 1.2.3SgC5vaFEg.exe.7a20000.5.raw.unpack, n8Aa00PkBrZ1l0TYfs.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 1.2.3SgC5vaFEg.exe.7a20000.5.raw.unpack, n8Aa00PkBrZ1l0TYfs.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/15@2/2
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeFile created: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7896:120:WilError_03
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7792:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7936:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:120:WilError_03
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4C9B.tmpJump to behavior
                  Source: 3SgC5vaFEg.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 3SgC5vaFEg.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 3SgC5vaFEg.exeVirustotal: Detection: 67%
                  Source: 3SgC5vaFEg.exeReversingLabs: Detection: 68%
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeFile read: C:\Users\user\Desktop\3SgC5vaFEg.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\3SgC5vaFEg.exe "C:\Users\user\Desktop\3SgC5vaFEg.exe"
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SgC5vaFEg.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eJFCxXVOH.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eJFCxXVOH" /XML "C:\Users\user\AppData\Local\Temp\tmp4C9B.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess created: C:\Users\user\Desktop\3SgC5vaFEg.exe "C:\Users\user\Desktop\3SgC5vaFEg.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe C:\Users\user\AppData\Roaming\eJFCxXVOH.exe
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eJFCxXVOH" /XML "C:\Users\user\AppData\Local\Temp\tmp6514.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess created: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe "C:\Users\user\AppData\Roaming\eJFCxXVOH.exe"
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess created: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe "C:\Users\user\AppData\Roaming\eJFCxXVOH.exe"
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SgC5vaFEg.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eJFCxXVOH.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eJFCxXVOH" /XML "C:\Users\user\AppData\Local\Temp\tmp4C9B.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess created: C:\Users\user\Desktop\3SgC5vaFEg.exe "C:\Users\user\Desktop\3SgC5vaFEg.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eJFCxXVOH" /XML "C:\Users\user\AppData\Local\Temp\tmp6514.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess created: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe "C:\Users\user\AppData\Roaming\eJFCxXVOH.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess created: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe "C:\Users\user\AppData\Roaming\eJFCxXVOH.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: iconcodecservice.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: iconcodecservice.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: rasapi32.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: rasman.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: rtutils.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: rasadhlp.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: fwpuclnt.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: schannel.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: mskeyprotect.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: ntasn1.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: ncrypt.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: ncryptsslp.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: vaultcli.dll
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: 3SgC5vaFEg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: 3SgC5vaFEg.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: 3SgC5vaFEg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: WIS.pdbSHA256 source: 3SgC5vaFEg.exe, eJFCxXVOH.exe.1.dr
                  Source: Binary string: WIS.pdb source: 3SgC5vaFEg.exe, eJFCxXVOH.exe.1.dr

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: 1.2.3SgC5vaFEg.exe.4782150.1.raw.unpack, n8Aa00PkBrZ1l0TYfs.cs.Net Code: Wa3ocrUH5I System.Reflection.Assembly.Load(byte[])
                  Source: 1.2.3SgC5vaFEg.exe.4800d70.0.raw.unpack, n8Aa00PkBrZ1l0TYfs.cs.Net Code: Wa3ocrUH5I System.Reflection.Assembly.Load(byte[])
                  Source: 1.2.3SgC5vaFEg.exe.7a20000.5.raw.unpack, n8Aa00PkBrZ1l0TYfs.cs.Net Code: Wa3ocrUH5I System.Reflection.Assembly.Load(byte[])
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 1_2_00F4F39B push esp; retf 1_2_00F4F3AA
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 1_2_06FEA7E8 pushfd ; retf 1_2_06FEA7E9
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 1_2_06FE9A68 push eax; ret 1_2_06FE9A69
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 9_2_00F10C6D push edi; retf 9_2_00F10C7A
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 9_2_00F10C45 push ebx; retf 9_2_00F10C52
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeCode function: 9_2_0668FFB0 push es; ret 9_2_0668FFC0
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeCode function: 15_2_01570C45 push ebx; retf 15_2_01570C52
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeCode function: 15_2_01570C6D push edi; retf 15_2_01570C7A
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeCode function: 15_2_06F8FFBF push es; ret 15_2_06F8FFC0
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeCode function: 15_2_06F849A3 push ecx; retf 15_2_06F849AA
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeCode function: 15_2_06F8495D pushad ; retf 15_2_06F84964
                  Source: 3SgC5vaFEg.exeStatic PE information: section name: .text entropy: 7.722979353069734
                  Source: eJFCxXVOH.exe.1.drStatic PE information: section name: .text entropy: 7.722979353069734
                  Source: 1.2.3SgC5vaFEg.exe.4782150.1.raw.unpack, ltL30vxWW71fNEjDim.csHigh entropy of concatenated method names: 'RviQvcFWYE', 'JfMQTkgR6e', 'ocpQK16lTR', 'k4cQgEYoQ2', 'K4VQPuNgbf', 'pFQKeB5TaY', 'c6gKE1q2VJ', 'RnXK4byqc5', 'kTFKr2b2te', 'DPsKL2jVDh'
                  Source: 1.2.3SgC5vaFEg.exe.4782150.1.raw.unpack, lThGXvFNp2kIpNLX62.csHigh entropy of concatenated method names: 'avPcZqkMW', 'fip6YeUWn', 'vyh3rAAI2', 'FN89LP79C', 'asNBvhn2I', 'TMvAhYQw5', 'P5pL1AagCZccsn5xau', 'SKNGbX070QwDw9iAhm', 'Nr35HXHXC', 'NmxnfoFU2'
                  Source: 1.2.3SgC5vaFEg.exe.4782150.1.raw.unpack, t3DIoF4UdHhouv9e6A.csHigh entropy of concatenated method names: 'mGf1lDxIuQ', 'Kt11DeQGc4', 'Npa11XxQSe', 'EKR1GtTq5v', 'bvi1fUWOQf', 'w0Q1kyZDtw', 'Dispose', 'XCp5XBQnw1', 'IvM5T4oMn5', 'YVP5d5hxjf'
                  Source: 1.2.3SgC5vaFEg.exe.4782150.1.raw.unpack, FA89bNTugNax7xnvPK.csHigh entropy of concatenated method names: 'Dispose', 'JhoRLuv9e6', 'pS4FIaent3', 'JV9rBWLfT5', 'FvORpWiYfD', 'RANRzTxK5p', 'ProcessDialogKey', 'f4xFUq5Jgo', 'zUKFRhDGxy', 'mtrFFigdcD'
                  Source: 1.2.3SgC5vaFEg.exe.4782150.1.raw.unpack, GaqXItYfeZuo9UP7P8.csHigh entropy of concatenated method names: 'mCWgbXlwAt', 'uL2gj2O2ao', 'k0SgcB5r0x', 'mopg6SZcA6', 'FhNg8qBsiX', 'AfCg3CZ5YS', 'cbsg9usLIS', 'kEXgZVejkI', 'XoxgBy2dSW', 'mN8gA5xPCr'
                  Source: 1.2.3SgC5vaFEg.exe.4782150.1.raw.unpack, QW3g5RZ0smOJDGWRZG.csHigh entropy of concatenated method names: 'mqqT7tLfsI', 'SBcTm0Ghp9', 'tsUTVH6EAr', 'SAfThDDymu', 'JL7TeAc6qL', 'WqFTEVNcTg', 'R5aT4WUVlH', 'JhsTrv5xFF', 'LWhTL94V4u', 'S6tTpAtDua'
                  Source: 1.2.3SgC5vaFEg.exe.4782150.1.raw.unpack, vVuhLyEuwH4rjV7ts0.csHigh entropy of concatenated method names: 'LKQDryNwrL', 'iE2DpjjosD', 'bVo5UYmm1q', 'dqP5RabZMw', 'YSiDybr88k', 'ThuD2EuFmX', 'Vw8DWD6RtQ', 'BMuD7SyXed', 'rbKDmgDXgV', 'niwDVCHmRB'
                  Source: 1.2.3SgC5vaFEg.exe.4782150.1.raw.unpack, eTXrXl7s9NuyEu0I4l.csHigh entropy of concatenated method names: 'HPpl0njrTe', 'TTil2V6LFv', 'BMGl7Xqn9F', 'Qehlmukb0r', 'TkklIfjEau', 'Y4glSJZwIm', 'vZFls7aaIG', 'l52lHdM203', 'StWlOg5Qjh', 'yGilwSJLVB'
                  Source: 1.2.3SgC5vaFEg.exe.4782150.1.raw.unpack, pgdcDEpJB7Flk4b9SX.csHigh entropy of concatenated method names: 'dL4ndyppVA', 'hQgnKgltnS', 'UVxnQYJ9vs', 'eNdngVltIw', 'Wcon1new7U', 'taKnPdhZAE', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 1.2.3SgC5vaFEg.exe.4782150.1.raw.unpack, OvPZJfd4D44st0gsAq.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'T1jFLIwT6V', 'mjYFpeZu0A', 'vKgFz277VC', 'TYoaUOa9Wl', 'vDfaR4cUXv', 'slWaFxZ14i', 'T4GaaScJTN', 'nETg4OdERnRFOXmKH0A'
                  Source: 1.2.3SgC5vaFEg.exe.4782150.1.raw.unpack, n8Aa00PkBrZ1l0TYfs.csHigh entropy of concatenated method names: 'bRFavGG5vK', 'g3FaXA3YvB', 'UuZaTPmilq', 'c4Tadd8eBY', 'JCYaKRsf5o', 'TR7aQgRBL1', 'oJKaguxYN1', 'fjoaPGy2Fn', 'QlRaCuFpp6', 't33aq4lUCd'
                  Source: 1.2.3SgC5vaFEg.exe.4782150.1.raw.unpack, TPw3BlWxZP8x6y6qId.csHigh entropy of concatenated method names: 'tYGNZpF4So', 'rseNBmZ5Gn', 'HJKNxL0L78', 'HDVNIZIYJI', 'UuJNsXUBaP', 'OgkNHEojxa', 'XXNNw0C8Zk', 'iBLNMuvAgP', 'X8WN0B39Ky', 'YWSNyIsqIZ'
                  Source: 1.2.3SgC5vaFEg.exe.4782150.1.raw.unpack, rawySAw7W4oryhJaGR.csHigh entropy of concatenated method names: 'nX1gX3B0fN', 'jj4gd4UQpj', 'tpmgQVihUi', 'q6HQpyv4Wg', 'wNkQz8gBfM', 'cDhgU4PnNK', 'dvggRxNFhG', 'PljgFYo3pH', 'tQTgaEcZEV', 'YUngogxETH'
                  Source: 1.2.3SgC5vaFEg.exe.4782150.1.raw.unpack, Sbq95HRU2KU6fhpAa9l.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'rTqny9S8Sl', 'b3jn2DnMAL', 'eQbnW6ZqnX', 'LTmn7BYMAQ', 'NMGnmXrbau', 'VoEnVb1f46', 'pXUnhBCSrD'
                  Source: 1.2.3SgC5vaFEg.exe.4782150.1.raw.unpack, pclSJpBKYBBGYVYnH3.csHigh entropy of concatenated method names: 'uWCd6kLliH', 'AiNd3cfXL0', 'MAZdZxtT5r', 'T7YdBnMJKk', 'lMqdlvP6v6', 'ukPdiIXg3b', 'fs4dDds88E', 'Sfnd5rqpy7', 'PKAd1Unp74', 'sqpdnVlygn'
                  Source: 1.2.3SgC5vaFEg.exe.4782150.1.raw.unpack, IMk5CGRRCHru7aqat0f.csHigh entropy of concatenated method names: 'cpQnpHSvbh', 'fdMnzd11CN', 'QXSGU7wdGs', 'HiPGRwHRdQ', 'ButGFpPd5f', 'VEJGaWeV2j', 'pXhGoC0UUg', 'r5dGvuLwt0', 'f30GXfJx8Y', 'US5GTLCa3R'
                  Source: 1.2.3SgC5vaFEg.exe.4782150.1.raw.unpack, FLPhsqorutH0SgNt7V.csHigh entropy of concatenated method names: 'dC7RgW3g5R', 'NsmRPOJDGW', 'YKYRqBBGYV', 'MnHRJ3plxq', 'V35RlIvCtL', 'C0vRiWW71f', 'E2phMVTVRGc9dfa5c3', 'BQ5yDMXaXi2GsLCBx7', 'HEfRRoIY9I', 'DwJRahXGYD'
                  Source: 1.2.3SgC5vaFEg.exe.4782150.1.raw.unpack, Gq5JgoLcUKhDGxyqtr.csHigh entropy of concatenated method names: 'gNv1xuJb9G', 'MuI1IUVsO4', 'Lwe1SmimPN', 'P241sL7dHA', 'nOJ1HBv5qI', 'FS61Os8H1I', 'GDP1w2jgsl', 'J2T1MXsEII', 'j4c1Yd9YRT', 'XDo10kms2N'
                  Source: 1.2.3SgC5vaFEg.exe.4782150.1.raw.unpack, I4wfBfziaCPJAl8j4h.csHigh entropy of concatenated method names: 'RKgn303ZXF', 'Bn2nZ8noBy', 'yxanBG8Z1c', 'oYAnxwJ67t', 'O9xnI9p3EI', 'zdTnso6NBV', 'nlwnHsTk8K', 'sBinkLoUMZ', 'UbVnblYvDi', 'u0Knjk67pY'
                  Source: 1.2.3SgC5vaFEg.exe.4782150.1.raw.unpack, YGcoZBVUjiMOFbgn7e.csHigh entropy of concatenated method names: 'ToString', 'JTxiyxGpmL', 'MvXiIJ9VgT', 'CJ1iSjbu07', 'pWEisTOdtD', 'whSiHh4r7m', 'JaliOfd3T4', 'UUYiw12lnc', 'rsYiMS5n1m', 'oKEiY8nVC9'
                  Source: 1.2.3SgC5vaFEg.exe.4782150.1.raw.unpack, Ylxq3nAZQulmm435Iv.csHigh entropy of concatenated method names: 'DPdK8XOv6Z', 'MdFK9XhDgy', 'BxUdSbSKGb', 'jnGdsIQTjw', 'dWudH4R9s4', 'RZ9dOlrgtD', 'XlSdwe42ZC', 'AVfdMD722D', 'wkAdYvBa3m', 'WmVd0QbcIw'
                  Source: 1.2.3SgC5vaFEg.exe.4800d70.0.raw.unpack, ltL30vxWW71fNEjDim.csHigh entropy of concatenated method names: 'RviQvcFWYE', 'JfMQTkgR6e', 'ocpQK16lTR', 'k4cQgEYoQ2', 'K4VQPuNgbf', 'pFQKeB5TaY', 'c6gKE1q2VJ', 'RnXK4byqc5', 'kTFKr2b2te', 'DPsKL2jVDh'
                  Source: 1.2.3SgC5vaFEg.exe.4800d70.0.raw.unpack, lThGXvFNp2kIpNLX62.csHigh entropy of concatenated method names: 'avPcZqkMW', 'fip6YeUWn', 'vyh3rAAI2', 'FN89LP79C', 'asNBvhn2I', 'TMvAhYQw5', 'P5pL1AagCZccsn5xau', 'SKNGbX070QwDw9iAhm', 'Nr35HXHXC', 'NmxnfoFU2'
                  Source: 1.2.3SgC5vaFEg.exe.4800d70.0.raw.unpack, t3DIoF4UdHhouv9e6A.csHigh entropy of concatenated method names: 'mGf1lDxIuQ', 'Kt11DeQGc4', 'Npa11XxQSe', 'EKR1GtTq5v', 'bvi1fUWOQf', 'w0Q1kyZDtw', 'Dispose', 'XCp5XBQnw1', 'IvM5T4oMn5', 'YVP5d5hxjf'
                  Source: 1.2.3SgC5vaFEg.exe.4800d70.0.raw.unpack, FA89bNTugNax7xnvPK.csHigh entropy of concatenated method names: 'Dispose', 'JhoRLuv9e6', 'pS4FIaent3', 'JV9rBWLfT5', 'FvORpWiYfD', 'RANRzTxK5p', 'ProcessDialogKey', 'f4xFUq5Jgo', 'zUKFRhDGxy', 'mtrFFigdcD'
                  Source: 1.2.3SgC5vaFEg.exe.4800d70.0.raw.unpack, GaqXItYfeZuo9UP7P8.csHigh entropy of concatenated method names: 'mCWgbXlwAt', 'uL2gj2O2ao', 'k0SgcB5r0x', 'mopg6SZcA6', 'FhNg8qBsiX', 'AfCg3CZ5YS', 'cbsg9usLIS', 'kEXgZVejkI', 'XoxgBy2dSW', 'mN8gA5xPCr'
                  Source: 1.2.3SgC5vaFEg.exe.4800d70.0.raw.unpack, QW3g5RZ0smOJDGWRZG.csHigh entropy of concatenated method names: 'mqqT7tLfsI', 'SBcTm0Ghp9', 'tsUTVH6EAr', 'SAfThDDymu', 'JL7TeAc6qL', 'WqFTEVNcTg', 'R5aT4WUVlH', 'JhsTrv5xFF', 'LWhTL94V4u', 'S6tTpAtDua'
                  Source: 1.2.3SgC5vaFEg.exe.4800d70.0.raw.unpack, vVuhLyEuwH4rjV7ts0.csHigh entropy of concatenated method names: 'LKQDryNwrL', 'iE2DpjjosD', 'bVo5UYmm1q', 'dqP5RabZMw', 'YSiDybr88k', 'ThuD2EuFmX', 'Vw8DWD6RtQ', 'BMuD7SyXed', 'rbKDmgDXgV', 'niwDVCHmRB'
                  Source: 1.2.3SgC5vaFEg.exe.4800d70.0.raw.unpack, eTXrXl7s9NuyEu0I4l.csHigh entropy of concatenated method names: 'HPpl0njrTe', 'TTil2V6LFv', 'BMGl7Xqn9F', 'Qehlmukb0r', 'TkklIfjEau', 'Y4glSJZwIm', 'vZFls7aaIG', 'l52lHdM203', 'StWlOg5Qjh', 'yGilwSJLVB'
                  Source: 1.2.3SgC5vaFEg.exe.4800d70.0.raw.unpack, pgdcDEpJB7Flk4b9SX.csHigh entropy of concatenated method names: 'dL4ndyppVA', 'hQgnKgltnS', 'UVxnQYJ9vs', 'eNdngVltIw', 'Wcon1new7U', 'taKnPdhZAE', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 1.2.3SgC5vaFEg.exe.4800d70.0.raw.unpack, OvPZJfd4D44st0gsAq.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'T1jFLIwT6V', 'mjYFpeZu0A', 'vKgFz277VC', 'TYoaUOa9Wl', 'vDfaR4cUXv', 'slWaFxZ14i', 'T4GaaScJTN', 'nETg4OdERnRFOXmKH0A'
                  Source: 1.2.3SgC5vaFEg.exe.4800d70.0.raw.unpack, n8Aa00PkBrZ1l0TYfs.csHigh entropy of concatenated method names: 'bRFavGG5vK', 'g3FaXA3YvB', 'UuZaTPmilq', 'c4Tadd8eBY', 'JCYaKRsf5o', 'TR7aQgRBL1', 'oJKaguxYN1', 'fjoaPGy2Fn', 'QlRaCuFpp6', 't33aq4lUCd'
                  Source: 1.2.3SgC5vaFEg.exe.4800d70.0.raw.unpack, TPw3BlWxZP8x6y6qId.csHigh entropy of concatenated method names: 'tYGNZpF4So', 'rseNBmZ5Gn', 'HJKNxL0L78', 'HDVNIZIYJI', 'UuJNsXUBaP', 'OgkNHEojxa', 'XXNNw0C8Zk', 'iBLNMuvAgP', 'X8WN0B39Ky', 'YWSNyIsqIZ'
                  Source: 1.2.3SgC5vaFEg.exe.4800d70.0.raw.unpack, rawySAw7W4oryhJaGR.csHigh entropy of concatenated method names: 'nX1gX3B0fN', 'jj4gd4UQpj', 'tpmgQVihUi', 'q6HQpyv4Wg', 'wNkQz8gBfM', 'cDhgU4PnNK', 'dvggRxNFhG', 'PljgFYo3pH', 'tQTgaEcZEV', 'YUngogxETH'
                  Source: 1.2.3SgC5vaFEg.exe.4800d70.0.raw.unpack, Sbq95HRU2KU6fhpAa9l.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'rTqny9S8Sl', 'b3jn2DnMAL', 'eQbnW6ZqnX', 'LTmn7BYMAQ', 'NMGnmXrbau', 'VoEnVb1f46', 'pXUnhBCSrD'
                  Source: 1.2.3SgC5vaFEg.exe.4800d70.0.raw.unpack, pclSJpBKYBBGYVYnH3.csHigh entropy of concatenated method names: 'uWCd6kLliH', 'AiNd3cfXL0', 'MAZdZxtT5r', 'T7YdBnMJKk', 'lMqdlvP6v6', 'ukPdiIXg3b', 'fs4dDds88E', 'Sfnd5rqpy7', 'PKAd1Unp74', 'sqpdnVlygn'
                  Source: 1.2.3SgC5vaFEg.exe.4800d70.0.raw.unpack, IMk5CGRRCHru7aqat0f.csHigh entropy of concatenated method names: 'cpQnpHSvbh', 'fdMnzd11CN', 'QXSGU7wdGs', 'HiPGRwHRdQ', 'ButGFpPd5f', 'VEJGaWeV2j', 'pXhGoC0UUg', 'r5dGvuLwt0', 'f30GXfJx8Y', 'US5GTLCa3R'
                  Source: 1.2.3SgC5vaFEg.exe.4800d70.0.raw.unpack, FLPhsqorutH0SgNt7V.csHigh entropy of concatenated method names: 'dC7RgW3g5R', 'NsmRPOJDGW', 'YKYRqBBGYV', 'MnHRJ3plxq', 'V35RlIvCtL', 'C0vRiWW71f', 'E2phMVTVRGc9dfa5c3', 'BQ5yDMXaXi2GsLCBx7', 'HEfRRoIY9I', 'DwJRahXGYD'
                  Source: 1.2.3SgC5vaFEg.exe.4800d70.0.raw.unpack, Gq5JgoLcUKhDGxyqtr.csHigh entropy of concatenated method names: 'gNv1xuJb9G', 'MuI1IUVsO4', 'Lwe1SmimPN', 'P241sL7dHA', 'nOJ1HBv5qI', 'FS61Os8H1I', 'GDP1w2jgsl', 'J2T1MXsEII', 'j4c1Yd9YRT', 'XDo10kms2N'
                  Source: 1.2.3SgC5vaFEg.exe.4800d70.0.raw.unpack, I4wfBfziaCPJAl8j4h.csHigh entropy of concatenated method names: 'RKgn303ZXF', 'Bn2nZ8noBy', 'yxanBG8Z1c', 'oYAnxwJ67t', 'O9xnI9p3EI', 'zdTnso6NBV', 'nlwnHsTk8K', 'sBinkLoUMZ', 'UbVnblYvDi', 'u0Knjk67pY'
                  Source: 1.2.3SgC5vaFEg.exe.4800d70.0.raw.unpack, YGcoZBVUjiMOFbgn7e.csHigh entropy of concatenated method names: 'ToString', 'JTxiyxGpmL', 'MvXiIJ9VgT', 'CJ1iSjbu07', 'pWEisTOdtD', 'whSiHh4r7m', 'JaliOfd3T4', 'UUYiw12lnc', 'rsYiMS5n1m', 'oKEiY8nVC9'
                  Source: 1.2.3SgC5vaFEg.exe.4800d70.0.raw.unpack, Ylxq3nAZQulmm435Iv.csHigh entropy of concatenated method names: 'DPdK8XOv6Z', 'MdFK9XhDgy', 'BxUdSbSKGb', 'jnGdsIQTjw', 'dWudH4R9s4', 'RZ9dOlrgtD', 'XlSdwe42ZC', 'AVfdMD722D', 'wkAdYvBa3m', 'WmVd0QbcIw'
                  Source: 1.2.3SgC5vaFEg.exe.7a20000.5.raw.unpack, ltL30vxWW71fNEjDim.csHigh entropy of concatenated method names: 'RviQvcFWYE', 'JfMQTkgR6e', 'ocpQK16lTR', 'k4cQgEYoQ2', 'K4VQPuNgbf', 'pFQKeB5TaY', 'c6gKE1q2VJ', 'RnXK4byqc5', 'kTFKr2b2te', 'DPsKL2jVDh'
                  Source: 1.2.3SgC5vaFEg.exe.7a20000.5.raw.unpack, lThGXvFNp2kIpNLX62.csHigh entropy of concatenated method names: 'avPcZqkMW', 'fip6YeUWn', 'vyh3rAAI2', 'FN89LP79C', 'asNBvhn2I', 'TMvAhYQw5', 'P5pL1AagCZccsn5xau', 'SKNGbX070QwDw9iAhm', 'Nr35HXHXC', 'NmxnfoFU2'
                  Source: 1.2.3SgC5vaFEg.exe.7a20000.5.raw.unpack, t3DIoF4UdHhouv9e6A.csHigh entropy of concatenated method names: 'mGf1lDxIuQ', 'Kt11DeQGc4', 'Npa11XxQSe', 'EKR1GtTq5v', 'bvi1fUWOQf', 'w0Q1kyZDtw', 'Dispose', 'XCp5XBQnw1', 'IvM5T4oMn5', 'YVP5d5hxjf'
                  Source: 1.2.3SgC5vaFEg.exe.7a20000.5.raw.unpack, FA89bNTugNax7xnvPK.csHigh entropy of concatenated method names: 'Dispose', 'JhoRLuv9e6', 'pS4FIaent3', 'JV9rBWLfT5', 'FvORpWiYfD', 'RANRzTxK5p', 'ProcessDialogKey', 'f4xFUq5Jgo', 'zUKFRhDGxy', 'mtrFFigdcD'
                  Source: 1.2.3SgC5vaFEg.exe.7a20000.5.raw.unpack, GaqXItYfeZuo9UP7P8.csHigh entropy of concatenated method names: 'mCWgbXlwAt', 'uL2gj2O2ao', 'k0SgcB5r0x', 'mopg6SZcA6', 'FhNg8qBsiX', 'AfCg3CZ5YS', 'cbsg9usLIS', 'kEXgZVejkI', 'XoxgBy2dSW', 'mN8gA5xPCr'
                  Source: 1.2.3SgC5vaFEg.exe.7a20000.5.raw.unpack, QW3g5RZ0smOJDGWRZG.csHigh entropy of concatenated method names: 'mqqT7tLfsI', 'SBcTm0Ghp9', 'tsUTVH6EAr', 'SAfThDDymu', 'JL7TeAc6qL', 'WqFTEVNcTg', 'R5aT4WUVlH', 'JhsTrv5xFF', 'LWhTL94V4u', 'S6tTpAtDua'
                  Source: 1.2.3SgC5vaFEg.exe.7a20000.5.raw.unpack, vVuhLyEuwH4rjV7ts0.csHigh entropy of concatenated method names: 'LKQDryNwrL', 'iE2DpjjosD', 'bVo5UYmm1q', 'dqP5RabZMw', 'YSiDybr88k', 'ThuD2EuFmX', 'Vw8DWD6RtQ', 'BMuD7SyXed', 'rbKDmgDXgV', 'niwDVCHmRB'
                  Source: 1.2.3SgC5vaFEg.exe.7a20000.5.raw.unpack, eTXrXl7s9NuyEu0I4l.csHigh entropy of concatenated method names: 'HPpl0njrTe', 'TTil2V6LFv', 'BMGl7Xqn9F', 'Qehlmukb0r', 'TkklIfjEau', 'Y4glSJZwIm', 'vZFls7aaIG', 'l52lHdM203', 'StWlOg5Qjh', 'yGilwSJLVB'
                  Source: 1.2.3SgC5vaFEg.exe.7a20000.5.raw.unpack, pgdcDEpJB7Flk4b9SX.csHigh entropy of concatenated method names: 'dL4ndyppVA', 'hQgnKgltnS', 'UVxnQYJ9vs', 'eNdngVltIw', 'Wcon1new7U', 'taKnPdhZAE', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 1.2.3SgC5vaFEg.exe.7a20000.5.raw.unpack, OvPZJfd4D44st0gsAq.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'T1jFLIwT6V', 'mjYFpeZu0A', 'vKgFz277VC', 'TYoaUOa9Wl', 'vDfaR4cUXv', 'slWaFxZ14i', 'T4GaaScJTN', 'nETg4OdERnRFOXmKH0A'
                  Source: 1.2.3SgC5vaFEg.exe.7a20000.5.raw.unpack, n8Aa00PkBrZ1l0TYfs.csHigh entropy of concatenated method names: 'bRFavGG5vK', 'g3FaXA3YvB', 'UuZaTPmilq', 'c4Tadd8eBY', 'JCYaKRsf5o', 'TR7aQgRBL1', 'oJKaguxYN1', 'fjoaPGy2Fn', 'QlRaCuFpp6', 't33aq4lUCd'
                  Source: 1.2.3SgC5vaFEg.exe.7a20000.5.raw.unpack, TPw3BlWxZP8x6y6qId.csHigh entropy of concatenated method names: 'tYGNZpF4So', 'rseNBmZ5Gn', 'HJKNxL0L78', 'HDVNIZIYJI', 'UuJNsXUBaP', 'OgkNHEojxa', 'XXNNw0C8Zk', 'iBLNMuvAgP', 'X8WN0B39Ky', 'YWSNyIsqIZ'
                  Source: 1.2.3SgC5vaFEg.exe.7a20000.5.raw.unpack, rawySAw7W4oryhJaGR.csHigh entropy of concatenated method names: 'nX1gX3B0fN', 'jj4gd4UQpj', 'tpmgQVihUi', 'q6HQpyv4Wg', 'wNkQz8gBfM', 'cDhgU4PnNK', 'dvggRxNFhG', 'PljgFYo3pH', 'tQTgaEcZEV', 'YUngogxETH'
                  Source: 1.2.3SgC5vaFEg.exe.7a20000.5.raw.unpack, Sbq95HRU2KU6fhpAa9l.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'rTqny9S8Sl', 'b3jn2DnMAL', 'eQbnW6ZqnX', 'LTmn7BYMAQ', 'NMGnmXrbau', 'VoEnVb1f46', 'pXUnhBCSrD'
                  Source: 1.2.3SgC5vaFEg.exe.7a20000.5.raw.unpack, pclSJpBKYBBGYVYnH3.csHigh entropy of concatenated method names: 'uWCd6kLliH', 'AiNd3cfXL0', 'MAZdZxtT5r', 'T7YdBnMJKk', 'lMqdlvP6v6', 'ukPdiIXg3b', 'fs4dDds88E', 'Sfnd5rqpy7', 'PKAd1Unp74', 'sqpdnVlygn'
                  Source: 1.2.3SgC5vaFEg.exe.7a20000.5.raw.unpack, IMk5CGRRCHru7aqat0f.csHigh entropy of concatenated method names: 'cpQnpHSvbh', 'fdMnzd11CN', 'QXSGU7wdGs', 'HiPGRwHRdQ', 'ButGFpPd5f', 'VEJGaWeV2j', 'pXhGoC0UUg', 'r5dGvuLwt0', 'f30GXfJx8Y', 'US5GTLCa3R'
                  Source: 1.2.3SgC5vaFEg.exe.7a20000.5.raw.unpack, FLPhsqorutH0SgNt7V.csHigh entropy of concatenated method names: 'dC7RgW3g5R', 'NsmRPOJDGW', 'YKYRqBBGYV', 'MnHRJ3plxq', 'V35RlIvCtL', 'C0vRiWW71f', 'E2phMVTVRGc9dfa5c3', 'BQ5yDMXaXi2GsLCBx7', 'HEfRRoIY9I', 'DwJRahXGYD'
                  Source: 1.2.3SgC5vaFEg.exe.7a20000.5.raw.unpack, Gq5JgoLcUKhDGxyqtr.csHigh entropy of concatenated method names: 'gNv1xuJb9G', 'MuI1IUVsO4', 'Lwe1SmimPN', 'P241sL7dHA', 'nOJ1HBv5qI', 'FS61Os8H1I', 'GDP1w2jgsl', 'J2T1MXsEII', 'j4c1Yd9YRT', 'XDo10kms2N'
                  Source: 1.2.3SgC5vaFEg.exe.7a20000.5.raw.unpack, I4wfBfziaCPJAl8j4h.csHigh entropy of concatenated method names: 'RKgn303ZXF', 'Bn2nZ8noBy', 'yxanBG8Z1c', 'oYAnxwJ67t', 'O9xnI9p3EI', 'zdTnso6NBV', 'nlwnHsTk8K', 'sBinkLoUMZ', 'UbVnblYvDi', 'u0Knjk67pY'
                  Source: 1.2.3SgC5vaFEg.exe.7a20000.5.raw.unpack, YGcoZBVUjiMOFbgn7e.csHigh entropy of concatenated method names: 'ToString', 'JTxiyxGpmL', 'MvXiIJ9VgT', 'CJ1iSjbu07', 'pWEisTOdtD', 'whSiHh4r7m', 'JaliOfd3T4', 'UUYiw12lnc', 'rsYiMS5n1m', 'oKEiY8nVC9'
                  Source: 1.2.3SgC5vaFEg.exe.7a20000.5.raw.unpack, Ylxq3nAZQulmm435Iv.csHigh entropy of concatenated method names: 'DPdK8XOv6Z', 'MdFK9XhDgy', 'BxUdSbSKGb', 'jnGdsIQTjw', 'dWudH4R9s4', 'RZ9dOlrgtD', 'XlSdwe42ZC', 'AVfdMD722D', 'wkAdYvBa3m', 'WmVd0QbcIw'
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeFile created: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eJFCxXVOH" /XML "C:\Users\user\AppData\Local\Temp\tmp4C9B.tmp"

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: 3SgC5vaFEg.exe PID: 7656, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: eJFCxXVOH.exe PID: 7216, type: MEMORYSTR
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeMemory allocated: F40000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeMemory allocated: 2D10000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeMemory allocated: 10A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeMemory allocated: 8F60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeMemory allocated: 9F60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeMemory allocated: A170000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeMemory allocated: B170000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeMemory allocated: B580000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeMemory allocated: C580000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeMemory allocated: F10000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeMemory allocated: 29E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeMemory allocated: 27F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeMemory allocated: 1390000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeMemory allocated: 2E20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeMemory allocated: 4E20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeMemory allocated: 8C30000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeMemory allocated: 9C30000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeMemory allocated: 9E20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeMemory allocated: AE20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeMemory allocated: B200000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeMemory allocated: C200000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeMemory allocated: D200000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeMemory allocated: 1570000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeMemory allocated: 3240000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeMemory allocated: 5240000 memory reserve | memory write watch
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6362Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3223Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6268Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3232Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeWindow / User API: threadDelayed 6572Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeWindow / User API: threadDelayed 3266Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeWindow / User API: threadDelayed 3857
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeWindow / User API: threadDelayed 5989
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 7676Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8096Thread sleep time: -20291418481080494s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8132Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep count: 40 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -36893488147419080s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -100000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5728Thread sleep count: 6572 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -99875s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5728Thread sleep count: 3266 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -99765s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -99656s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -99546s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -99437s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -99321s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -99205s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -98992s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -98868s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -98742s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -98638s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -98529s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -98422s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -98312s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -98203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -98094s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -97984s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -97875s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -97765s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -97656s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -97547s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -97437s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -97327s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -97218s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -97109s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -97000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -96890s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -96781s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -96672s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -96562s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -96453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -96344s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -96234s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -96125s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -96015s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -95906s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -95797s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -95687s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -95578s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -95469s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -95344s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -95234s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -95125s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -95015s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -94906s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -94796s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -94687s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -94578s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -94459s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -94341s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exe TID: 5640Thread sleep time: -94216s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep count: 39 > 30
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -35971150943733603s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -100000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 1760Thread sleep count: 3857 > 30
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -99891s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 1760Thread sleep count: 5989 > 30
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -99781s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -99672s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -99562s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -99453s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -99344s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -99234s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -99125s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -99015s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -98891s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -98781s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -98672s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -98562s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -98453s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -98328s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -98219s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -98109s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -98000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -97891s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -97781s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -97650s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -97545s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -97422s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -97303s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -97156s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -97036s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -96914s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -96812s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -96701s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -96590s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -96482s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -96372s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -96263s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -96156s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -96047s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -95922s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -95813s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -95688s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -95578s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -95469s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -95344s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -95234s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -95125s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -95015s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -94869s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -94765s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -94654s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -94547s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -94018s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe TID: 7736Thread sleep time: -93906s >= -30000s
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 100000Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 99875Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 99765Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 99656Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 99546Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 99437Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 99321Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 99205Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 98992Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 98868Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 98742Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 98638Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 98529Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 98422Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 98312Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 98203Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 98094Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 97984Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 97875Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 97765Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 97656Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 97547Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 97437Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 97327Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 97218Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 97109Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 97000Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 96890Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 96781Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 96672Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 96562Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 96453Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 96344Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 96234Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 96125Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 96015Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 95906Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 95797Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 95687Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 95578Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 95469Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 95344Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 95234Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 95125Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 95015Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 94906Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 94796Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 94687Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 94578Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 94459Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 94341Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeThread delayed: delay time: 94216Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 100000
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 99891
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 99781
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 99672
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 99562
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 99453
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 99344
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 99234
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 99125
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 99015
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 98891
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 98781
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 98672
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 98562
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 98453
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 98328
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 98219
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 98109
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 98000
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 97891
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 97781
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 97650
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 97545
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 97422
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 97303
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 97156
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 97036
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 96914
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 96812
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 96701
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 96590
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 96482
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 96372
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 96263
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 96156
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 96047
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 95922
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 95813
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 95688
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 95578
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 95469
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 95344
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 95234
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 95125
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 95015
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 94869
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 94765
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 94654
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 94547
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 94018
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeThread delayed: delay time: 93906
                  Source: eJFCxXVOH.exe, 0000000A.00000002.1414558946.000000000732A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: eJFCxXVOH.exe, 0000000A.00000002.1414558946.000000000732A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                  Source: 3SgC5vaFEg.exe, 00000009.00000002.2548812136.0000000000C93000.00000004.00000020.00020000.00000000.sdmp, eJFCxXVOH.exe, 0000000F.00000002.2549013567.000000000166E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SgC5vaFEg.exe"
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eJFCxXVOH.exe"
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SgC5vaFEg.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eJFCxXVOH.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SgC5vaFEg.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eJFCxXVOH.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eJFCxXVOH" /XML "C:\Users\user\AppData\Local\Temp\tmp4C9B.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeProcess created: C:\Users\user\Desktop\3SgC5vaFEg.exe "C:\Users\user\Desktop\3SgC5vaFEg.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eJFCxXVOH" /XML "C:\Users\user\AppData\Local\Temp\tmp6514.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess created: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe "C:\Users\user\AppData\Roaming\eJFCxXVOH.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeProcess created: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe "C:\Users\user\AppData\Roaming\eJFCxXVOH.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeQueries volume information: C:\Users\user\Desktop\3SgC5vaFEg.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeQueries volume information: C:\Users\user\Desktop\3SgC5vaFEg.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeQueries volume information: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeQueries volume information: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 1.2.3SgC5vaFEg.exe.45fb050.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.eJFCxXVOH.exe.3e29970.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.3SgC5vaFEg.exe.4519990.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.eJFCxXVOH.exe.3e29970.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.3SgC5vaFEg.exe.4519990.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.3SgC5vaFEg.exe.45fb050.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000002.2550406752.00000000032BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1411321149.00000000049CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.2549778245.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2550406752.0000000003291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1326864398.0000000004519000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1411321149.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.2549778245.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1326864398.0000000004572000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 3SgC5vaFEg.exe PID: 7656, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 3SgC5vaFEg.exe PID: 8064, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: eJFCxXVOH.exe PID: 7216, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: eJFCxXVOH.exe PID: 7296, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeFile opened: C:\FTP Navigator\Ftplist.txt
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Users\user\Desktop\3SgC5vaFEg.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                  Source: C:\Users\user\AppData\Roaming\eJFCxXVOH.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: Yara matchFile source: 1.2.3SgC5vaFEg.exe.45fb050.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.eJFCxXVOH.exe.3e29970.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.3SgC5vaFEg.exe.4519990.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.eJFCxXVOH.exe.3e29970.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.3SgC5vaFEg.exe.4519990.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.3SgC5vaFEg.exe.45fb050.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000002.1411321149.00000000049CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2550406752.0000000003291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.2546306225.0000000000436000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1326864398.0000000004519000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1411321149.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.2549778245.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1326864398.0000000004572000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 3SgC5vaFEg.exe PID: 7656, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 3SgC5vaFEg.exe PID: 8064, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: eJFCxXVOH.exe PID: 7216, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: eJFCxXVOH.exe PID: 7296, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 1.2.3SgC5vaFEg.exe.45fb050.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.eJFCxXVOH.exe.3e29970.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.3SgC5vaFEg.exe.4519990.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.eJFCxXVOH.exe.3e29970.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.3SgC5vaFEg.exe.4519990.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.3SgC5vaFEg.exe.45fb050.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000002.2550406752.00000000032BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1411321149.00000000049CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.2549778245.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2550406752.0000000003291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1326864398.0000000004519000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1411321149.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.2549778245.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1326864398.0000000004572000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 3SgC5vaFEg.exe PID: 7656, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 3SgC5vaFEg.exe PID: 8064, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: eJFCxXVOH.exe PID: 7216, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: eJFCxXVOH.exe PID: 7296, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Scheduled Task/Job                  		1
                  Scheduled Task/Job                  		11
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		1
                  Input Capture                  		24
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  Scheduled Task/Job                  		2
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		211
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                  Software Packing                  		NTDS1
                  Process Discovery                  		Distributed Component Object Model1
                  Input Capture                  		23
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets141
                  Virtualization/Sandbox Evasion                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                  Virtualization/Sandbox Evasion                  		DCSync1
                  System Network Configuration Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                  Process Injection                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1633521 Sample: 3SgC5vaFEg.exe Startdate: 10/03/2025 Architecture: WINDOWS Score: 100 48 mail.iaa-airferight.com 2->48 50 api.ipify.org 2->50 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for URL or domain 2->60 62 9 other signatures 2->62 8 3SgC5vaFEg.exe 7 2->8         started        12 eJFCxXVOH.exe 5 2->12         started        signatures3 process4 file5 40 C:\Users\user\AppData\Roaming\eJFCxXVOH.exe, PE32 8->40 dropped 42 C:\Users\...\eJFCxXVOH.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\user\AppData\Local\...\tmp4C9B.tmp, XML 8->44 dropped 46 C:\Users\user\AppData\...\3SgC5vaFEg.exe.log, ASCII 8->46 dropped 64 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->64 66 Uses schtasks.exe or at.exe to add and modify task schedules 8->66 68 Adds a directory exclusion to Windows Defender 8->68 14 3SgC5vaFEg.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        70 Antivirus detection for dropped file 12->70 72 Multi AV Scanner detection for dropped file 12->72 24 eJFCxXVOH.exe 12->24         started        26 schtasks.exe 12->26         started        28 eJFCxXVOH.exe 12->28         started        signatures6 process7 dnsIp8 52 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 14->52 54 api.ipify.org 172.67.74.152, 443, 49694, 49696 CLOUDFLARENETUS United States 14->54 74 Loading BitLocker PowerShell Module 18->74 30 conhost.exe 18->30         started        32 WmiPrvSE.exe 18->32         started        34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        76 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->76 78 Tries to steal Mail credentials (via file / registry access) 24->78 80 Tries to harvest and steal ftp login credentials 24->80 82 Tries to harvest and steal browser information (history, passwords, etc) 24->82 38 conhost.exe 26->38         started        signatures9 process10

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  3SgC5vaFEg.exe67%VirustotalBrowse
                  3SgC5vaFEg.exe68%ReversingLabsWin32.Trojan.Leonem
                  3SgC5vaFEg.exe100%AviraTR/Agent_AGen.aiscp

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\eJFCxXVOH.exe100%AviraTR/Agent_AGen.aiscp
                  C:\Users\user\AppData\Roaming\eJFCxXVOH.exe68%ReversingLabsWin32.Trojan.Leonem

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://mail.iaa-airferight.com100%Avira URL Cloudphishing

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  mail.iaa-airferight.com
                  		46.175.148.58
                  		truetrue
                    		unknown
                    api.ipify.org
                    		172.67.74.152
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://api.ipify.org/false
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://api.ipify.org3SgC5vaFEg.exe, 00000001.00000002.1326864398.0000000004572000.00000004.00000800.00020000.00000000.sdmp, 3SgC5vaFEg.exe, 00000001.00000002.1326864398.0000000004519000.00000004.00000800.00020000.00000000.sdmp, 3SgC5vaFEg.exe, 00000009.00000002.2549778245.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, 3SgC5vaFEg.exe, 00000009.00000002.2546306225.0000000000434000.00000040.00000400.00020000.00000000.sdmp, eJFCxXVOH.exe, 0000000A.00000002.1411321149.00000000049CA000.00000004.00000800.00020000.00000000.sdmp, eJFCxXVOH.exe, 0000000A.00000002.1411321149.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, eJFCxXVOH.exe, 0000000F.00000002.2550406752.0000000003241000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://account.dyn.com/3SgC5vaFEg.exe, 00000001.00000002.1326864398.0000000004572000.00000004.00000800.00020000.00000000.sdmp, 3SgC5vaFEg.exe, 00000001.00000002.1326864398.0000000004519000.00000004.00000800.00020000.00000000.sdmp, 3SgC5vaFEg.exe, 00000009.00000002.2546306225.0000000000436000.00000040.00000400.00020000.00000000.sdmp, eJFCxXVOH.exe, 0000000A.00000002.1411321149.00000000049CA000.00000004.00000800.00020000.00000000.sdmp, eJFCxXVOH.exe, 0000000A.00000002.1411321149.0000000003E29000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://api.ipify.org/t3SgC5vaFEg.exe, 00000009.00000002.2549778245.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, eJFCxXVOH.exe, 0000000F.00000002.2550406752.0000000003241000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name3SgC5vaFEg.exe, 00000001.00000002.1323046053.0000000002D45000.00000004.00000800.00020000.00000000.sdmp, 3SgC5vaFEg.exe, 00000009.00000002.2549778245.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, eJFCxXVOH.exe, 0000000A.00000002.1408668604.0000000003067000.00000004.00000800.00020000.00000000.sdmp, eJFCxXVOH.exe, 0000000F.00000002.2550406752.0000000003241000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://mail.iaa-airferight.com3SgC5vaFEg.exe, 00000009.00000002.2549778245.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, eJFCxXVOH.exe, 0000000F.00000002.2550406752.00000000032BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: phishing
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                46.175.148.58
                                		mail.iaa-airferight.comUkraine
                                		56394ASLAGIDKOM-NETUAtrue
                                172.67.74.152
                                		api.ipify.orgUnited States
                                		13335CLOUDFLARENETUSfalse

                                General Information

                                Joe Sandbox version:42.0.0 Malachite
                                Analysis ID:1633521
                                Start date and time:2025-03-10 12:49:34 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 8m 20s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:20
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:3SgC5vaFEg.exe
                                renamed because original name is a hash value
                                Original Sample Name:e87a5cb662913f9eb7a91ba0879b534da9069f26e3176d9418b16b39eef6f9fc.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@21/15@2/2
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 131
                                • Number of non-executed functions: 6
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 23.199.214.10, 172.202.163.200
                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtCreateKey calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                07:50:35API Interceptor186x Sleep call for process: 3SgC5vaFEg.exe modified
                                07:50:37API Interceptor82x Sleep call for process: powershell.exe modified
                                07:50:41API Interceptor174x Sleep call for process: eJFCxXVOH.exe modified
                                12:50:38Task SchedulerRun new task: eJFCxXVOH path: C:\Users\user\AppData\Roaming\eJFCxXVOH.exe

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                46.175.148.58SecuriteInfo.com.Win32.CrypterX-gen.27605.29739.exeGet hashmaliciousAgentTeslaBrowse
                                  PO 352995.exeGet hashmaliciousAgentTeslaBrowse
                                    Ningbo Overdue Invoice - JAN 23,2025.exeGet hashmaliciousAgentTeslaBrowse
                                      Bulk_OrderSheet_KIDO VINH.com.exeGet hashmaliciousAgentTeslaBrowse
                                        DHL - NINGBO OVERDUE INVOICES- FINAL REMINDER - 456034158.exeGet hashmaliciousAgentTeslaBrowse
                                          PO 352995.exeGet hashmaliciousAgentTeslaBrowse
                                            DHL%20-%20NINGBO%20OVERDUE%20INVOICES.exeGet hashmaliciousAgentTeslaBrowse
                                              PO24S1458(SEQ 2).com.exeGet hashmaliciousAgentTeslaBrowse
                                                2.exeGet hashmaliciousAgentTeslaBrowse
                                                  Asco Valve Shanghai OrderPO-011024.exeGet hashmaliciousAgentTeslaBrowse
                                                    172.67.74.152NightFixed 1.0.exeGet hashmaliciousUnknownBrowse
                                                    • api.ipify.org/
                                                    VibeCall.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                    • api.ipify.org/
                                                    VibeCall.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                    • api.ipify.org/
                                                    VibeCall.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                    • api.ipify.org/
                                                    Editing.exeGet hashmaliciousUnknownBrowse
                                                    • api.ipify.org/
                                                    Terms_of_reference_06_01_2025_samsung.scr.exeGet hashmaliciousUnknownBrowse
                                                    • api.ipify.org/
                                                    Contract for Partners.exeGet hashmaliciousUnknownBrowse
                                                    • api.ipify.org/
                                                    JV4lf0wkWV.exeGet hashmaliciousUnknownBrowse
                                                    • api.ipify.org/
                                                    Setup.exeGet hashmaliciousUnknownBrowse
                                                    • api.ipify.org/?format=xml
                                                    jgbC220X2U.exeGet hashmaliciousUnknownBrowse
                                                    • api.ipify.org/?format=text

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    mail.iaa-airferight.comSecuriteInfo.com.Win32.CrypterX-gen.27605.29739.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 46.175.148.58
                                                    PO 352995.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 46.175.148.58
                                                    Ningbo Overdue Invoice - JAN 23,2025.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 46.175.148.58
                                                    Bulk_OrderSheet_KIDO VINH.com.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 46.175.148.58
                                                    DHL - NINGBO OVERDUE INVOICES- FINAL REMINDER - 456034158.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 46.175.148.58
                                                    PO 352995.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 46.175.148.58
                                                    DHL%20-%20NINGBO%20OVERDUE%20INVOICES.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 46.175.148.58
                                                    PO24S1458(SEQ 2).com.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 46.175.148.58
                                                    2.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 46.175.148.58
                                                    Asco Valve Shanghai OrderPO-011024.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 46.175.148.58
                                                    api.ipify.orgBSDOC-2025.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 172.67.74.152
                                                    I24560875423784426VTL.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.12.205
                                                    Transferencia Bancaria I2241624AH.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.13.205
                                                    https://drive.google.com/uc?export=download&id=1yo-ocLkBaj7zGZM1_WtILFQH2WJlBOtLGet hashmaliciousHTMLPhisherBrowse
                                                    • 172.67.74.152
                                                    xwM9kaAoeY.batGet hashmaliciousUnknownBrowse
                                                    • 104.26.13.205
                                                    http://www.google.com/url?q=http%3A%2F%2Fbusiness-page-appealdepart-de.vercel.app&sa=D&sntz=1&usg=AOvVaw3y7XLatnyOzQiEGegrNq5uGet hashmaliciousUnknownBrowse
                                                    • 104.26.12.205
                                                    l5Cp6aAf3o.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 172.67.74.152
                                                    x4l3iVpFSc.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.13.205
                                                    HCoITD94bW.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.12.205
                                                    ZWyrFp7WBM.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.12.205

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    ASLAGIDKOM-NETUASecuriteInfo.com.Win32.CrypterX-gen.27605.29739.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 46.175.148.58
                                                    PO 352995.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 46.175.148.58
                                                    Ningbo Overdue Invoice - JAN 23,2025.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 46.175.148.58
                                                    Bulk_OrderSheet_KIDO VINH.com.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 46.175.148.58
                                                    DHL - NINGBO OVERDUE INVOICES- FINAL REMINDER - 456034158.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 46.175.148.58
                                                    PO 352995.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 46.175.148.58
                                                    DHL%20-%20NINGBO%20OVERDUE%20INVOICES.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 46.175.148.58
                                                    PO24S1458(SEQ 2).com.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 46.175.148.58
                                                    2.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 46.175.148.58
                                                    Asco Valve Shanghai OrderPO-011024.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 46.175.148.58
                                                    CLOUDFLARENETUSCleanCloner.exeGet hashmaliciousUnknownBrowse
                                                    • 104.21.64.1
                                                    https://railrent.pexrayitech.com/Get hashmaliciousHTMLPhisherBrowse
                                                    • 104.18.95.41
                                                    TtO8ECC3Ok.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                    • 104.21.16.1
                                                    NEW ORDER #3520187900.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 104.21.16.1
                                                    QUOTE TA-029 PE 273 - RFQ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 104.21.80.1
                                                    Request for Quotation MK FMHS.RFQ.250305.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                    • 104.21.48.1
                                                    SKM0807678_Payment Confirmation.docx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 104.21.80.1
                                                    SOA.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 104.21.80.1
                                                    Tax Invoice.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 104.21.64.1
                                                    ungziped_file.exeGet hashmaliciousFormBookBrowse
                                                    • 188.114.97.3

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    3b5074b1b5d032e5620f69f9f700ff0e0SfyatoN3z.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 172.67.74.152
                                                    QUOTE TA-029 PE 273 - RFQ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 172.67.74.152
                                                    Request for Quotation MK FMHS.RFQ.250305.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                    • 172.67.74.152
                                                    SKM0807678_Payment Confirmation.docx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 172.67.74.152
                                                    SOA.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 172.67.74.152
                                                    Tax Invoice.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 172.67.74.152
                                                    Zyhomzt.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 172.67.74.152
                                                    BSDOC-2025.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 172.67.74.152
                                                    I24560875423784426VTL.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 172.67.74.152
                                                    justificante de transferencia09454545.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                    • 172.67.74.152

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3SgC5vaFEg.exe.log

                                                    Download File
                                                    Process:C:\Users\user\Desktop\3SgC5vaFEg.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1216
                                                    Entropy (8bit):5.34331486778365
                                                    Encrypted:false
                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                    Malicious:true
                                                    Reputation:high, very likely benign file
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eJFCxXVOH.exe.log

                                                    Download File
                                                    Process:C:\Users\user\AppData\Roaming\eJFCxXVOH.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:modified
                                                    Size (bytes):1216
                                                    Entropy (8bit):5.34331486778365
                                                    Encrypted:false
                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                    Malicious:false
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:modified
                                                    Size (bytes):2232
                                                    Entropy (8bit):5.379552885213346
                                                    Encrypted:false
                                                    SSDEEP:48:fWSU4xympjgs4Rc9tEoUl8NPZHUl7u1iMuge//ZM0Uyud:fLHxvCsIcnSKRHmOugr1d
                                                    MD5:B32142776745FD3463BAE1E5CAE41DEC
                                                    SHA1:BE08A09418261E3769D3098D76098CB51D3A1183
                                                    SHA-256:0EC3381EE719F605F890F13E58D5E6800D47C9437E82F794CD80255BC4794096
                                                    SHA-512:DB327363CCE6977903F517DA23AAFDD0FB578D67D86CAACC7EB7BF5B738C4A87B0915E8A2A71E1935FE3AC3632630F98AEF2174C88AA898848F8CA01A7C25460
                                                    Malicious:false
                                                    Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<...............V.}...@...i...........System.Transactions.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_205yem5v.uom.psm1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_atwslerd.zik.ps1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_biml4n1d.1ll.psm1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_momccng3.zd4.psm1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nuybdnad.pfq.ps1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s43ltpc3.nlz.ps1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tjlbgurg.4o4.ps1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xr4opema.zte.psm1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\tmp4C9B.tmp

                                                    Download File
                                                    Process:C:\Users\user\Desktop\3SgC5vaFEg.exe
                                                    File Type:XML 1.0 document, ASCII text
                                                    Category:dropped
                                                    Size (bytes):1596
                                                    Entropy (8bit):5.105232235608636
                                                    Encrypted:false
                                                    SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLGb+xv:cge7QYrFdOFzOzN33ODOiDdKrsuT6byv
                                                    MD5:1899A2466AFB27FC2A692827DDC0529D
                                                    SHA1:AE0571AFD5C08539F0EA44A1DD8AAA4E744CBA20
                                                    SHA-256:4B0B6F0833A45B751D08E12FE5D563F4106677A4F13B6FEEA38A10EE42537424
                                                    SHA-512:C9400262A0801F1819FBB04FEEDE7A8FBB9CDC69C0627FE8A28D2DA9DACFFC6666554EB32F97F638451950956756D5C4ED75ADEC10E204B654D532A55B25932D
                                                    Malicious:true
                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                                    C:\Users\user\AppData\Local\Temp\tmp6514.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Roaming\eJFCxXVOH.exe
                                                    File Type:XML 1.0 document, ASCII text
                                                    Category:dropped
                                                    Size (bytes):1596
                                                    Entropy (8bit):5.105232235608636
                                                    Encrypted:false
                                                    SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLGb+xv:cge7QYrFdOFzOzN33ODOiDdKrsuT6byv
                                                    MD5:1899A2466AFB27FC2A692827DDC0529D
                                                    SHA1:AE0571AFD5C08539F0EA44A1DD8AAA4E744CBA20
                                                    SHA-256:4B0B6F0833A45B751D08E12FE5D563F4106677A4F13B6FEEA38A10EE42537424
                                                    SHA-512:C9400262A0801F1819FBB04FEEDE7A8FBB9CDC69C0627FE8A28D2DA9DACFFC6666554EB32F97F638451950956756D5C4ED75ADEC10E204B654D532A55B25932D
                                                    Malicious:false
                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                                    C:\Users\user\AppData\Roaming\eJFCxXVOH.exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\3SgC5vaFEg.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):933888
                                                    Entropy (8bit):7.475204605846431
                                                    Encrypted:false
                                                    SSDEEP:24576:p40V/Ub05zPotO/rdChnkFZ4SkEa9bUxlF:prVMSzPMGrdCGD4SkLglF
                                                    MD5:8C528970280C14531DFA6A13C38E116B
                                                    SHA1:B036E0EC16CD82373909A75761F23AEF94361796
                                                    SHA-256:E87A5CB662913F9EB7A91BA0879B534DA9069F26E3176D9418B16B39EEF6F9FC
                                                    SHA-512:1526228589CBBF859847561C46F36BD2356C14834BE4A2B9046339DAB4B2BC7FA58221534C616FBE9DDCE2CE270147C7A953410D5350182F19489D82F9D478E8
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Avira, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 68%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....P.g..............0.................. ........@.. ....................................@.................................@...O.......p...........................h...T............................................ ............... ..H............text........ ...................... ..`.rsrc...p...........................@..@.reloc...............>..............@..B................t.......H....... g...C..........................................................0..]........(.....(.....{.......8...%.r...p.%.r...p.%.r...p..(....(....(.... ............%...%...o.....*....0..6..........{....o....,...+!.{....o....,...+..{....o....,.....*2.{....o....*2.{....o....*.0..`........{.....{....o.......o.....{.....{....o....-.rC..p+..{....o....o.....|.....{....o....-..+..(....*.0..z........|.....(....(.....|.....(....(.....|.....(....(.....(....(....,..(....(....-.rY..pr<..p.

                                                    C:\Users\user\AppData\Roaming\eJFCxXVOH.exe:Zone.Identifier

                                                    Download File
                                                    Process:C:\Users\user\Desktop\3SgC5vaFEg.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):26
                                                    Entropy (8bit):3.95006375643621
                                                    Encrypted:false
                                                    SSDEEP:3:ggPYV:rPYV
                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                    Malicious:true
                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.475204605846431
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    • DOS Executable Generic (2002/1) 0.01%
                                                    File name:3SgC5vaFEg.exe
                                                    File size:933'888 bytes
                                                    MD5:8c528970280c14531dfa6a13c38e116b
                                                    SHA1:b036e0ec16cd82373909a75761f23aef94361796
                                                    SHA256:e87a5cb662913f9eb7a91ba0879b534da9069f26e3176d9418b16b39eef6f9fc
                                                    SHA512:1526228589cbbf859847561c46f36bd2356c14834be4a2b9046339dab4b2bc7fa58221534c616fbe9ddce2ce270147c7a953410d5350182f19489d82f9d478e8
                                                    SSDEEP:24576:p40V/Ub05zPotO/rdChnkFZ4SkEa9bUxlF:prVMSzPMGrdCGD4SkLglF
                                                    TLSH:8115F3832A2DA6B6DE38673D40058CE991F01D5C6189B6A61BF87E3EF47C1215D0FE1E
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....P.g..............0.................. ........@.. ....................................@................................

                                                    File Icon

                                                    Icon Hash:2946e68e96b3ca4d

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x4ba492
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x67B750A8 [Thu Feb 20 15:56:24 2025 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xba4400x4f.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xbc0000x2b570.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xe80000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xb87680x54.text
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000xb84980xb8600f4330e3ec8a491189276298a7b9e6f70False0.8849986758474576data7.722979353069734IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rsrc0xbc0000x2b5700x2b6009cfc90d6a795dbc536015df669f45993False0.20857911563400577data5.11568057985841IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0xe80000xc0x200d83d805229eab38de35860f966d3c6f8False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_ICON0xbc2980x3751PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9929383518113127
                                                    RT_ICON0xbf9ec0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.0891251626641429
                                                    RT_ICON0xd02140x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.13335610678999368
                                                    RT_ICON0xd96bc0x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.16816081330868762
                                                    RT_ICON0xdeb440x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.15594000944733113
                                                    RT_ICON0xe2d6c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.23392116182572614
                                                    RT_ICON0xe53140x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.274624765478424
                                                    RT_ICON0xe63bc0x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.41885245901639345
                                                    RT_ICON0xe6d440x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5
                                                    RT_GROUP_ICON0xe71ac0x84data0.7045454545454546
                                                    RT_GROUP_ICON0xe72300x14data1.05
                                                    RT_VERSION0xe72440x32cdata0.4224137931034483

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Version Infos

                                                    DescriptionData
                                                    Translation0x0000 0x04b0
                                                    Comments
                                                    CompanyName
                                                    FileDescriptionEx05.GameInterface
                                                    FileVersion1.0.0.0
                                                    InternalNameWIS.exe
                                                    LegalCopyrightCopyright 2018
                                                    LegalTrademarks
                                                    OriginalFilenameWIS.exe
                                                    ProductNameEx05.GameInterface
                                                    ProductVersion1.0.0.0
                                                    Assembly Version1.0.0.0

                                                    Network Behavior

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Mar 10, 2025 12:50:39.266823053 CET49694443192.168.2.6172.67.74.152
                                                    Mar 10, 2025 12:50:39.266870022 CET44349694172.67.74.152192.168.2.6
                                                    Mar 10, 2025 12:50:39.266947985 CET49694443192.168.2.6172.67.74.152
                                                    Mar 10, 2025 12:50:39.299194098 CET49694443192.168.2.6172.67.74.152
                                                    Mar 10, 2025 12:50:39.299215078 CET44349694172.67.74.152192.168.2.6
                                                    Mar 10, 2025 12:50:40.942801952 CET44349694172.67.74.152192.168.2.6
                                                    Mar 10, 2025 12:50:40.942909002 CET49694443192.168.2.6172.67.74.152
                                                    Mar 10, 2025 12:50:40.946060896 CET49694443192.168.2.6172.67.74.152
                                                    Mar 10, 2025 12:50:40.946077108 CET44349694172.67.74.152192.168.2.6
                                                    Mar 10, 2025 12:50:40.946355104 CET44349694172.67.74.152192.168.2.6
                                                    Mar 10, 2025 12:50:40.997709990 CET49694443192.168.2.6172.67.74.152
                                                    Mar 10, 2025 12:50:41.384320974 CET49694443192.168.2.6172.67.74.152
                                                    Mar 10, 2025 12:50:41.428335905 CET44349694172.67.74.152192.168.2.6
                                                    Mar 10, 2025 12:50:41.914318085 CET44349694172.67.74.152192.168.2.6
                                                    Mar 10, 2025 12:50:41.951040030 CET44349694172.67.74.152192.168.2.6
                                                    Mar 10, 2025 12:50:41.951117992 CET49694443192.168.2.6172.67.74.152
                                                    Mar 10, 2025 12:50:42.140635967 CET49694443192.168.2.6172.67.74.152
                                                    Mar 10, 2025 12:50:45.255464077 CET4969525192.168.2.646.175.148.58
                                                    Mar 10, 2025 12:50:46.260802984 CET4969525192.168.2.646.175.148.58
                                                    Mar 10, 2025 12:50:47.979306936 CET49696443192.168.2.6172.67.74.152
                                                    Mar 10, 2025 12:50:47.979361057 CET44349696172.67.74.152192.168.2.6
                                                    Mar 10, 2025 12:50:47.979428053 CET49696443192.168.2.6172.67.74.152
                                                    Mar 10, 2025 12:50:47.984100103 CET49696443192.168.2.6172.67.74.152
                                                    Mar 10, 2025 12:50:47.984112978 CET44349696172.67.74.152192.168.2.6
                                                    Mar 10, 2025 12:50:48.260965109 CET4969525192.168.2.646.175.148.58
                                                    Mar 10, 2025 12:50:49.708873987 CET44349696172.67.74.152192.168.2.6
                                                    Mar 10, 2025 12:50:49.708966970 CET49696443192.168.2.6172.67.74.152
                                                    Mar 10, 2025 12:50:49.710977077 CET49696443192.168.2.6172.67.74.152
                                                    Mar 10, 2025 12:50:49.710994959 CET44349696172.67.74.152192.168.2.6
                                                    Mar 10, 2025 12:50:49.711317062 CET44349696172.67.74.152192.168.2.6
                                                    Mar 10, 2025 12:50:49.760942936 CET49696443192.168.2.6172.67.74.152
                                                    Mar 10, 2025 12:50:49.763863087 CET49696443192.168.2.6172.67.74.152
                                                    Mar 10, 2025 12:50:49.808329105 CET44349696172.67.74.152192.168.2.6
                                                    Mar 10, 2025 12:50:50.176616907 CET44349696172.67.74.152192.168.2.6
                                                    Mar 10, 2025 12:50:50.203718901 CET44349696172.67.74.152192.168.2.6
                                                    Mar 10, 2025 12:50:50.203788996 CET49696443192.168.2.6172.67.74.152
                                                    Mar 10, 2025 12:50:50.206343889 CET49696443192.168.2.6172.67.74.152
                                                    Mar 10, 2025 12:50:51.545363903 CET4969725192.168.2.646.175.148.58
                                                    Mar 10, 2025 12:50:52.260967016 CET4969525192.168.2.646.175.148.58
                                                    Mar 10, 2025 12:50:52.557719946 CET4969725192.168.2.646.175.148.58
                                                    Mar 10, 2025 12:50:54.573395014 CET4969725192.168.2.646.175.148.58
                                                    Mar 10, 2025 12:50:58.583533049 CET4969725192.168.2.646.175.148.58
                                                    Mar 10, 2025 12:51:00.264223099 CET4969525192.168.2.646.175.148.58
                                                    Mar 10, 2025 12:51:06.589174032 CET4969725192.168.2.646.175.148.58

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Mar 10, 2025 12:50:39.245471001 CET4915753192.168.2.61.1.1.1
                                                    Mar 10, 2025 12:50:39.252430916 CET53491571.1.1.1192.168.2.6
                                                    Mar 10, 2025 12:50:45.238713026 CET6426053192.168.2.61.1.1.1
                                                    Mar 10, 2025 12:50:45.254523039 CET53642601.1.1.1192.168.2.6

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Mar 10, 2025 12:50:39.245471001 CET192.168.2.61.1.1.10x9832Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                    Mar 10, 2025 12:50:45.238713026 CET192.168.2.61.1.1.10x15d4Standard query (0)mail.iaa-airferight.comA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Mar 10, 2025 12:50:39.252430916 CET1.1.1.1192.168.2.60x9832No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                    Mar 10, 2025 12:50:39.252430916 CET1.1.1.1192.168.2.60x9832No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                    Mar 10, 2025 12:50:39.252430916 CET1.1.1.1192.168.2.60x9832No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                    Mar 10, 2025 12:50:45.254523039 CET1.1.1.1192.168.2.60x15d4No error (0)mail.iaa-airferight.com46.175.148.58A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • api.ipify.org

                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.649694172.67.74.1524438064C:\Users\user\Desktop\3SgC5vaFEg.exe
                                                    TimestampBytes transferredDirectionData
                                                    2025-03-10 11:50:41 UTC155OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                    Host: api.ipify.org
                                                    Connection: Keep-Alive
                                                    2025-03-10 11:50:41 UTC425INHTTP/1.1 200 OK
                                                    Date: Mon, 10 Mar 2025 11:50:41 GMT
                                                    Content-Type: text/plain
                                                    Content-Length: 11
                                                    Connection: close
                                                    Vary: Origin
                                                    cf-cache-status: DYNAMIC
                                                    Server: cloudflare
                                                    CF-RAY: 91e2988e9c759c7e-IAD
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=24001&min_rtt=22206&rtt_var=9362&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=96759&cwnd=229&unsent_bytes=0&cid=12dfc69253abcb1b&ts=974&x=0"
                                                    2025-03-10 11:50:41 UTC11INData Raw: 32 34 2e 33 2e 39 37 2e 31 30 32
                                                    Data Ascii: 24.3.97.102


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.649696172.67.74.1524437296C:\Users\user\AppData\Roaming\eJFCxXVOH.exe
                                                    TimestampBytes transferredDirectionData
                                                    2025-03-10 11:50:49 UTC155OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                    Host: api.ipify.org
                                                    Connection: Keep-Alive
                                                    2025-03-10 11:50:50 UTC425INHTTP/1.1 200 OK
                                                    Date: Mon, 10 Mar 2025 11:50:49 GMT
                                                    Content-Type: text/plain
                                                    Content-Length: 11
                                                    Connection: close
                                                    Vary: Origin
                                                    cf-cache-status: DYNAMIC
                                                    Server: cloudflare
                                                    CF-RAY: 91e298c25f7e8062-IAD
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=22952&min_rtt=22266&rtt_var=7453&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=114929&cwnd=55&unsent_bytes=0&cid=3372e885b4dbae39&ts=602&x=0"
                                                    2025-03-10 11:50:50 UTC11INData Raw: 32 34 2e 33 2e 39 37 2e 31 30 32
                                                    Data Ascii: 24.3.97.102


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:1
                                                    Start time:07:50:34
                                                    Start date:10/03/2025
                                                    Path:C:\Users\user\Desktop\3SgC5vaFEg.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\3SgC5vaFEg.exe"
                                                    Imagebase:0x7f0000
                                                    File size:933'888 bytes
                                                    MD5 hash:8C528970280C14531DFA6A13C38E116B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1326864398.0000000004519000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1326864398.0000000004519000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1326864398.0000000004572000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1326864398.0000000004572000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:07:50:36
                                                    Start date:10/03/2025
                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SgC5vaFEg.exe"
                                                    Imagebase:0x100000
                                                    File size:433'152 bytes
                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:4
                                                    Start time:07:50:36
                                                    Start date:10/03/2025
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff68dae0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:5
                                                    Start time:07:50:36
                                                    Start date:10/03/2025
                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eJFCxXVOH.exe"
                                                    Imagebase:0x100000
                                                    File size:433'152 bytes
                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:6
                                                    Start time:07:50:36
                                                    Start date:10/03/2025
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff68dae0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:7
                                                    Start time:07:50:36
                                                    Start date:10/03/2025
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eJFCxXVOH" /XML "C:\Users\user\AppData\Local\Temp\tmp4C9B.tmp"
                                                    Imagebase:0x4a0000
                                                    File size:187'904 bytes
                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:8
                                                    Start time:07:50:36
                                                    Start date:10/03/2025
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff68dae0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:9
                                                    Start time:07:50:37
                                                    Start date:10/03/2025
                                                    Path:C:\Users\user\Desktop\3SgC5vaFEg.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\3SgC5vaFEg.exe"
                                                    Imagebase:0x5c0000
                                                    File size:933'888 bytes
                                                    MD5 hash:8C528970280C14531DFA6A13C38E116B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2549778245.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2546306225.0000000000436000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2549778245.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2549778245.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:low
                                                    Has exited:false

                                                    General

                                                    Target ID:10
                                                    Start time:07:50:39
                                                    Start date:10/03/2025
                                                    Path:C:\Users\user\AppData\Roaming\eJFCxXVOH.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\user\AppData\Roaming\eJFCxXVOH.exe
                                                    Imagebase:0xa40000
                                                    File size:933'888 bytes
                                                    MD5 hash:8C528970280C14531DFA6A13C38E116B
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1411321149.00000000049CA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.1411321149.00000000049CA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1411321149.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.1411321149.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Antivirus matches:
                                                    • Detection: 100%, Avira
                                                    • Detection: 68%, ReversingLabs
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:11
                                                    Start time:07:50:39
                                                    Start date:10/03/2025
                                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                    Imagebase:0x7ff65f400000
                                                    File size:496'640 bytes
                                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                    Has elevated privileges:true
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:12
                                                    Start time:07:50:43
                                                    Start date:10/03/2025
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eJFCxXVOH" /XML "C:\Users\user\AppData\Local\Temp\tmp6514.tmp"
                                                    Imagebase:0x4a0000
                                                    File size:187'904 bytes
                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:13
                                                    Start time:07:50:45
                                                    Start date:10/03/2025
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff68dae0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:14
                                                    Start time:07:50:46
                                                    Start date:10/03/2025
                                                    Path:C:\Users\user\AppData\Roaming\eJFCxXVOH.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\AppData\Roaming\eJFCxXVOH.exe"
                                                    Imagebase:0x420000
                                                    File size:933'888 bytes
                                                    MD5 hash:8C528970280C14531DFA6A13C38E116B
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:15
                                                    Start time:07:50:46
                                                    Start date:10/03/2025
                                                    Path:C:\Users\user\AppData\Roaming\eJFCxXVOH.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Roaming\eJFCxXVOH.exe"
                                                    Imagebase:0xec0000
                                                    File size:933'888 bytes
                                                    MD5 hash:8C528970280C14531DFA6A13C38E116B
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.2550406752.00000000032BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2550406752.0000000003291000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.2550406752.0000000003291000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:low
                                                    Has exited:false

                                                    Disassembly

                                                    Reset < >