Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
general2.exe

Overview

General Information

Sample name:general2.exe
Analysis ID:1637759
MD5:0c8385f409c25d27afea98fa449eec71
SHA1:1360d165313ef12b83834ed2e1116940003165d1
SHA256:9cc6be3d02461e09150332b1b17402290c42d27b5cf95b50dfa053b3bd6a8205
Tags:exeuser-BastianHein
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Telegram RAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Protects its processes via BreakOnTermination flag
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • general2.exe (PID: 7600 cmdline: "C:\Users\user\Desktop\general2.exe" MD5: 0C8385F409C25D27AFEA98FA449EEC71)
    • general.exe (PID: 7652 cmdline: "C:\Users\user\AppData\Roaming\general.exe" MD5: EE5A5B401A28A6ABD9847EFB666FA15E)
      • powershell.exe (PID: 7840 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\general.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7740 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'general.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1372 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\general.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 3324 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "general" /tr "C:\Users\user\AppData\Local\Temp\general.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WerFault.exe (PID: 5016 cmdline: C:\Windows\system32\WerFault.exe -u -p 7652 -s 3044 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • cmd.exe (PID: 7676 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\general.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7732 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
  • svchost.exe (PID: 7908 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • general.exe (PID: 5980 cmdline: "C:\Users\user\AppData\Local\Temp\general.exe" MD5: EE5A5B401A28A6ABD9847EFB666FA15E)
  • general.exe (PID: 5840 cmdline: C:\Users\user\AppData\Local\Temp\general.exe MD5: EE5A5B401A28A6ABD9847EFB666FA15E)
  • general.exe (PID: 7624 cmdline: "C:\Users\user\AppData\Local\Temp\general.exe" MD5: EE5A5B401A28A6ABD9847EFB666FA15E)
  • general.exe (PID: 3044 cmdline: C:\Users\user\AppData\Local\Temp\general.exe MD5: EE5A5B401A28A6ABD9847EFB666FA15E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["team-yacht.gl.at.ply.gg"], "Port": 55201, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "SecurityHost.exe"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\general.exeJoeSecurity_XWormYara detected XWormJoe Security
    C:\Users\user\AppData\Local\Temp\general.exeJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
      C:\Users\user\AppData\Local\Temp\general.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
      • 0xc618:$str01: $VB$Local_Port
      • 0xc68b:$str02: $VB$Local_Host
      • 0xac94:$str03: get_Jpeg
      • 0xb28c:$str04: get_ServicePack
      • 0xe499:$str05: Select * from AntivirusProduct
      • 0xe95b:$str06: PCRestart
      • 0xe96f:$str07: shutdown.exe /f /r /t 0
      • 0xea0f:$str08: StopReport
      • 0xe9e5:$str09: StopDDos
      • 0xea55:$str10: sendPlugin
      • 0xebc5:$str12: -ExecutionPolicy Bypass -File "
      • 0xf096:$str13: Content-length: 5235
      C:\Users\user\AppData\Local\Temp\general.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xdcc0:$s6: VirtualBox
      • 0xdc1e:$s8: Win32_ComputerSystem
      • 0xff9d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x1003a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x1014f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xefb1:$cnc4: POST / HTTP/1.1
      C:\Users\user\AppData\Roaming\general.exeJoeSecurity_XWormYara detected XWormJoe Security
        Click to see the 3 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000001.00000000.1169504558.0000000000292000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000001.00000000.1169504558.0000000000292000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            00000001.00000000.1169504558.0000000000292000.00000002.00000001.01000000.00000006.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xdac0:$s6: VirtualBox
            • 0xda1e:$s8: Win32_ComputerSystem
            • 0xfd9d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xfe3a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xff4f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xedb1:$cnc4: POST / HTTP/1.1
            00000000.00000002.1172318307.0000000003041000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000000.00000002.1172318307.0000000003041000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                Click to see the 6 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                1.0.general.exe.290000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  1.0.general.exe.290000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                    1.0.general.exe.290000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
                    • 0xc618:$str01: $VB$Local_Port
                    • 0xc68b:$str02: $VB$Local_Host
                    • 0xac94:$str03: get_Jpeg
                    • 0xb28c:$str04: get_ServicePack
                    • 0xe499:$str05: Select * from AntivirusProduct
                    • 0xe95b:$str06: PCRestart
                    • 0xe96f:$str07: shutdown.exe /f /r /t 0
                    • 0xea0f:$str08: StopReport
                    • 0xe9e5:$str09: StopDDos
                    • 0xea55:$str10: sendPlugin
                    • 0xebc5:$str12: -ExecutionPolicy Bypass -File "
                    • 0xf096:$str13: Content-length: 5235
                    1.0.general.exe.290000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xdcc0:$s6: VirtualBox
                    • 0xdc1e:$s8: Win32_ComputerSystem
                    • 0xff9d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x1003a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x1014f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0xefb1:$cnc4: POST / HTTP/1.1
                    0.2.general2.exe.3061820.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
                      Click to see the 15 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: New RUN Key Pointing to Suspicious Folder
                      Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\general.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\general.exe, ProcessId: 7652, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\general
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\general.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\general.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\general.exe" , ParentImage: C:\Users\user\AppData\Roaming\general.exe, ParentProcessId: 7652, ParentProcessName: general.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\general.exe', ProcessId: 7840, ProcessName: powershell.exe
                      Sigma detected: Script Interpreter Execution From Suspicious Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\general.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\general.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\general.exe" , ParentImage: C:\Users\user\AppData\Roaming\general.exe, ParentProcessId: 7652, ParentProcessName: general.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\general.exe', ProcessId: 1372, ProcessName: powershell.exe
                      Sigma detected: Suspicious Script Execution From Temp Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\general.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\general.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\general.exe" , ParentImage: C:\Users\user\AppData\Roaming\general.exe, ParentProcessId: 7652, ParentProcessName: general.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\general.exe', ProcessId: 1372, ProcessName: powershell.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\general.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\general.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\general.exe" , ParentImage: C:\Users\user\AppData\Roaming\general.exe, ParentProcessId: 7652, ParentProcessName: general.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\general.exe', ProcessId: 7840, ProcessName: powershell.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\general.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\general.exe, ProcessId: 7652, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\general
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\general.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\general.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\general.exe" , ParentImage: C:\Users\user\AppData\Roaming\general.exe, ParentProcessId: 7652, ParentProcessName: general.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\general.exe', ProcessId: 7840, ProcessName: powershell.exe
                      Sigma detected: Startup Folder File Write
                      Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\general.exe, ProcessId: 7652, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\general.lnk
                      Sigma detected: Suspicious Add Scheduled Task Parent
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "general" /tr "C:\Users\user\AppData\Local\Temp\general.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "general" /tr "C:\Users\user\AppData\Local\Temp\general.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\general.exe" , ParentImage: C:\Users\user\AppData\Roaming\general.exe, ParentProcessId: 7652, ParentProcessName: general.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "general" /tr "C:\Users\user\AppData\Local\Temp\general.exe", ProcessId: 3324, ProcessName: schtasks.exe
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "general" /tr "C:\Users\user\AppData\Local\Temp\general.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "general" /tr "C:\Users\user\AppData\Local\Temp\general.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\general.exe" , ParentImage: C:\Users\user\AppData\Roaming\general.exe, ParentProcessId: 7652, ParentProcessName: general.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "general" /tr "C:\Users\user\AppData\Local\Temp\general.exe", ProcessId: 3324, ProcessName: schtasks.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\general.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\general.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\general.exe" , ParentImage: C:\Users\user\AppData\Roaming\general.exe, ParentProcessId: 7652, ParentProcessName: general.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\general.exe', ProcessId: 7840, ProcessName: powershell.exe
                      Sigma detected: Windows Processes Suspicious Parent Directory
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7908, ProcessName: svchost.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-13T22:57:04.351373+010028559241Malware Command and Control Activity Detected192.168.2.449743147.185.221.2655201TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: general2.exeAvira: detected
                      Antivirus detection for URL or domain
                      Source: team-yacht.gl.at.ply.ggAvira URL Cloud: Label: malware
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\general.exeAvira: detection malicious, Label: TR/Spy.Gen
                      Source: C:\Users\user\AppData\Roaming\general.exeAvira: detection malicious, Label: TR/Spy.Gen
                      Found malware configuration
                      Source: 00000000.00000002.1172318307.0000000003041000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["team-yacht.gl.at.ply.gg"], "Port": 55201, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "SecurityHost.exe"}
                      Multi AV Scanner detection for submitted file
                      Source: general2.exeVirustotal: Detection: 58%Perma Link
                      Source: general2.exeReversingLabs: Detection: 65%
                      Joe Sandbox ML detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Sample uses string decryption to hide its real strings
                      Source: 00000001.00000000.1169504558.0000000000292000.00000002.00000001.01000000.00000006.sdmpString decryptor: team-yacht.gl.at.ply.gg
                      Source: 00000001.00000000.1169504558.0000000000292000.00000002.00000001.01000000.00000006.sdmpString decryptor: 55201
                      Source: 00000001.00000000.1169504558.0000000000292000.00000002.00000001.01000000.00000006.sdmpString decryptor: <123456789>
                      Source: 00000001.00000000.1169504558.0000000000292000.00000002.00000001.01000000.00000006.sdmpString decryptor: <Xwormmm>
                      Source: 00000001.00000000.1169504558.0000000000292000.00000002.00000001.01000000.00000006.sdmpString decryptor: SecurityHost.exe
                      Source: general2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: general2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbdY source: general.exe, 00000001.00000002.2465038991.000000001C588000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: System.Xml.ni.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: general.exe, 00000001.00000002.2463196802.000000001BFA0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: System.Windows.Forms.ni.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: System.Drawing.ni.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: System.Configuration.ni.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: general.exe, 00000001.00000002.2465038991.000000001C588000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: System.Configuration.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: symbols\dll\mscorlib.pdbpdb` source: general.exe, 00000001.00000002.2465038991.000000001C588000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: System.Drawing.ni.pdbRSDS source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: System.Xml.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: System.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: System.Xml.ni.pdbRSDS# source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: 0C:\Windows\mscorlib.pdb source: general.exe, 00000001.00000002.2465038991.000000001C588000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: System.Windows.Forms.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: mscorlib.pdb` source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: general.exe, 00000001.00000002.2456960545.000000001B4BF000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: mscorlib.pdb source: general.exe, 00000001.00000002.2456960545.000000001B538000.00000004.00000020.00020000.00000000.sdmp, general.exe, 00000001.00000002.2409108662.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, WER92C7.tmp.dmp.29.dr
                      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: general.exe, 00000001.00000002.2456960545.000000001B538000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: System.Drawing.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: System.Management.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: mscorlib.ni.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: general.exe, 00000001.00000002.2409108662.0000000000702000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Management.ni.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: System.Core.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbx source: general.exe, 00000001.00000002.2463196802.000000001BFA0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Xml.pdbz source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: indoC:\Windows\mscorlib.pdb source: general.exe, 00000001.00000002.2465038991.000000001C588000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: System.ni.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: System.Core.ni.pdbRSDS source: WER92C7.tmp.dmp.29.dr

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49743 -> 147.185.221.26:55201
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: team-yacht.gl.at.ply.gg
                      Uses the Telegram API (likely for C&C communication)
                      Source: unknownDNS query: name: api.telegram.org
                      Source: global trafficTCP traffic: 192.168.2.4:49743 -> 147.185.221.26:55201
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                      Source: unknownDNS query: name: ip-api.com
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                      Source: global trafficDNS traffic detected: DNS query: team-yacht.gl.at.ply.gg
                      Source: global trafficDNS traffic detected: DNS query: i.ibb.co
                      Source: powershell.exe, 0000000E.00000002.1366829914.000001DCEC323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                      Source: svchost.exe, 00000007.00000003.1203961451.0000020AB2908000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                      Source: edb.log.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                      Source: edb.log.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                      Source: edb.log.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                      Source: svchost.exe, 00000007.00000003.1203961451.0000020AB2908000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                      Source: svchost.exe, 00000007.00000003.1203961451.0000020AB2908000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                      Source: svchost.exe, 00000007.00000003.1203961451.0000020AB293D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                      Source: edb.log.7.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                      Source: general.exe, 00000001.00000002.2414573843.00000000027AF000.00000004.00000800.00020000.00000000.sdmp, general.exe, 00000001.00000002.2414573843.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp, general.exe, 00000001.00000002.2414573843.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, general.exe, 00000001.00000002.2414573843.0000000002A46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://i.ibb.co
                      Source: general.exe, 00000001.00000002.2414573843.0000000002A46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://i.ibb.cote
                      Source: general2.exe, 00000000.00000002.1172318307.0000000003041000.00000004.00000800.00020000.00000000.sdmp, general.exe, 00000001.00000000.1169504558.0000000000292000.00000002.00000001.01000000.00000006.sdmp, general.exe, 00000001.00000002.2414573843.0000000002531000.00000004.00000800.00020000.00000000.sdmp, general.exe.1.dr, general.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                      Source: powershell.exe, 00000005.00000002.1256543265.0000023890074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1352612423.000001DCE3DA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1493380697.0000021ADFB05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 00000011.00000002.1400843912.0000021ACFCB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000005.00000002.1241543172.0000023880229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1301550378.000001DCD3F5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1400843912.0000021ACFCB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: general.exe, 00000001.00000002.2414573843.0000000002531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1241543172.0000023880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1301550378.000001DCD3D31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1400843912.0000021ACFA91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000005.00000002.1241543172.0000023880229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1301550378.000001DCD3F5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1400843912.0000021ACFCB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: Amcache.hve.29.drString found in binary or memory: http://upx.sf.net
                      Source: powershell.exe, 00000011.00000002.1400843912.0000021ACFCB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000005.00000002.1241543172.0000023880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1301550378.000001DCD3D31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1400843912.0000021ACFA91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: general.exe, 00000001.00000002.2414573843.000000000257B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                      Source: general2.exe, 00000000.00000002.1172318307.0000000003041000.00000004.00000800.00020000.00000000.sdmp, general.exe, 00000001.00000000.1169504558.0000000000292000.00000002.00000001.01000000.00000006.sdmp, general.exe, 00000001.00000002.2414573843.000000000257B000.00000004.00000800.00020000.00000000.sdmp, general.exe.1.dr, general.exe.0.drString found in binary or memory: https://api.telegram.org/bot
                      Source: powershell.exe, 00000011.00000002.1493380697.0000021ADFB05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000011.00000002.1493380697.0000021ADFB05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000011.00000002.1493380697.0000021ADFB05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: svchost.exe, 00000007.00000003.1203961451.0000020AB29B2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                      Source: edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                      Source: edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                      Source: edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                      Source: svchost.exe, 00000007.00000003.1203961451.0000020AB29B2000.00000004.00000800.00020000.00000000.sdmp, edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                      Source: powershell.exe, 00000011.00000002.1400843912.0000021ACFCB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: general.exe, 00000001.00000002.2414573843.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, general.exe, 00000001.00000002.2414573843.000000000258D000.00000004.00000800.00020000.00000000.sdmp, general.exe, 00000001.00000002.2414573843.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, general.exe, 00000001.00000002.2414573843.0000000002A46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://i.ibb.co
                      Source: general.exe, 00000001.00000002.2414573843.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, general.exe, 00000001.00000002.2414573843.0000000002A46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://i.ibb.co(
                      Source: general2.exe, 00000000.00000002.1172318307.0000000003041000.00000004.00000800.00020000.00000000.sdmp, general.exe, 00000001.00000000.1169504558.0000000000292000.00000002.00000001.01000000.00000006.sdmp, general.exe, 00000001.00000002.2414573843.000000000258D000.00000004.00000800.00020000.00000000.sdmp, general.exe.1.dr, general.exe.0.drString found in binary or memory: https://i.ibb.co/Dwrj41N/Image.png
                      Source: general.exe, 00000001.00000002.2414573843.0000000002A46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://i.ibb.cote(
                      Source: powershell.exe, 00000005.00000002.1256543265.0000023890074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1352612423.000001DCE3DA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1493380697.0000021ADFB05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: svchost.exe, 00000007.00000003.1203961451.0000020AB29B2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                      Source: edb.log.7.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50733
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50732
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50735
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50734
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50737
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50736
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50739
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50738
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50731
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50730
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50693 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51422 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50211 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50452 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51663 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50744
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52186 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50743
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51548 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50746
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50745
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50578 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50748
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50747
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50440 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50749
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51892 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51410 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50740
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50742
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50741
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50325 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51777 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49909 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52072 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50755
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50754
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51524 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50757
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50756
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50759
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50758
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52084 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50464 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50751
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50750
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50753
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50752
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50108 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52174 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52404 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51319 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50439 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50766
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50765
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50768
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50767
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50769
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50760
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51651 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50762
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49910 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50761
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51789 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50337 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50764
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50763
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51320 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50566 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51880 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50235 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51090 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50795 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51687 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51192 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49922 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51077 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50783 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51512 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50591 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50301 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51753 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50700
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50702
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50701
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52302 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50704
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50656 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50703
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50706
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50705
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51065 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51699 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50247 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50095 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51561 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51089 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50708
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51446 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52059 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50707
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51626 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50709
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50711
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50710
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50313 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50713
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50712
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50715
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50714
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51765 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50717
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50716
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51434 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49896 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51103 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50719
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50259 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50718
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50808 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52264 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50083 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50771 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50121 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50722
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50721
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51307 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51500 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51573 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50724
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50723
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50726
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50725
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50728
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50727
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52060 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51638 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50720
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52198 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52391 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49934 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50729
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50644 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52137 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50386 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51115 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52011 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50632 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50873 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52326 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50071 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50758 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50999 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50505 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50935 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52023 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50987 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49872 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51957 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51001 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50197 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52200 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52338 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50885 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51207
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51208
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51205
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51206
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51209
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51200
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51203
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51396 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51204
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50374 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51201
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51202
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49986 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50861 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52276 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51254 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50620 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52314 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51218
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51219
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51216
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51217
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51384 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51210
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51211
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51214
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50897 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51215
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51212
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51213
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52212 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52149 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50923 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49884 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51815 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51945 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51127 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50777
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52162 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50776
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50779
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50911 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51140 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50778
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52047 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51266 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52288 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50771
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50770
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50773
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51933 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50772
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51025 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50775
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50774
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50350 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51701 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51372 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50607 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50362 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50788
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50787
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50789
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50173 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50780
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50782
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50781
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51827 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50784
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50783
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51806 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50786
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51139 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50785
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52150 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50046 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51498 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50734 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50476 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50799
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50798
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51360 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51790 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50791
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50790
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50793
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50792
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51245 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50619 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50795
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50794
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50797
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51675 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50223 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50796
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51409 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52035 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51839 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51921 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50349 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51013 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49998 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50058 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50488 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50746 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51966 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50514 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50185 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51278 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51536 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51144
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51145
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51142
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51143
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51148
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51149
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51146
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51147
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51176 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51151
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52146 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51152
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52387 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51150
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50389 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50400 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51852 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51164 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52203 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52375 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50148 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51611 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51155
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51156
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51840 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50377 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51153
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51154
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51159
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51157
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51158
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50755 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51162
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51347 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51163
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51160
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50812 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51161
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50080 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51954 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50502 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52158 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51166
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51167
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52215 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51164
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51165
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50390 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51152 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51168
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51169
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51170
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51173
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51174
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51623 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51171
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51172
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50767 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51359 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50824 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51177
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51178
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51175
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51176
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51179
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50079 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51180
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51181
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50996 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50136 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51184
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51185
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51588 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51182
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51183
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50665 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52110 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51257 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50365 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51108
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51109
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51106
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51107
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50424 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51876 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51100
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51101
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50055 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51104
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51105
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50353 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51102
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51103
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50731 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51942 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50161 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51323 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50848 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51119
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51117
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51118
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52109 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51111
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51112
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51110
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51115
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52087 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51116
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51113
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51114
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51269 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51704 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52171 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50677 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50067 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51016 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52351 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50743 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51929 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51128
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51188 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49995 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51129
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51335 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51122
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51123
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51864 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51120
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51121
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51126
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51127
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52363 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51004 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51124
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51125
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50836 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51130
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50412 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50341 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51793 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51930 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51139
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51133
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50689 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51134
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51242 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51131
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51132
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51137
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51138
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51135
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51136
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51140
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51141
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51270 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51406 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52099 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51230 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51471 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50260 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50690 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52252 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 52063 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51282 -> 443
                      Source: C:\Users\user\AppData\Roaming\general.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      Operating System Destruction

                      barindex
                      Protects its processes via BreakOnTermination flag
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: 01 00 00 00 Jump to behavior

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 1.0.general.exe.290000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                      Source: 1.0.general.exe.290000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.2.general2.exe.3061820.1.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                      Source: 0.2.general2.exe.3061820.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.2.general2.exe.3073c60.2.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                      Source: 0.2.general2.exe.3073c60.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000001.00000000.1169504558.0000000000292000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000000.00000002.1172318307.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\AppData\Local\Temp\general.exe, type: DROPPEDMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                      Source: C:\Users\user\AppData\Local\Temp\general.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\AppData\Roaming\general.exe, type: DROPPEDMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                      Source: C:\Users\user\AppData\Roaming\general.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\AppData\Roaming\general.exeCode function: 1_2_00007FFC3DA725F11_2_00007FFC3DA725F1
                      Source: C:\Users\user\AppData\Roaming\general.exeCode function: 1_2_00007FFC3DA799391_2_00007FFC3DA79939
                      Source: C:\Users\user\AppData\Roaming\general.exeCode function: 1_2_00007FFC3DA774D21_2_00007FFC3DA774D2
                      Source: C:\Users\user\AppData\Roaming\general.exeCode function: 1_2_00007FFC3DA767261_2_00007FFC3DA76726
                      Source: C:\Users\user\AppData\Roaming\general.exeCode function: 1_2_00007FFC3DA716B91_2_00007FFC3DA716B9
                      Source: C:\Users\user\AppData\Roaming\general.exeCode function: 1_2_00007FFC3DA723351_2_00007FFC3DA72335
                      Source: C:\Users\user\AppData\Local\Temp\general.exeCode function: 21_2_00007FFC3DA416B921_2_00007FFC3DA416B9
                      Source: C:\Users\user\AppData\Local\Temp\general.exeCode function: 21_2_00007FFC3DA4233521_2_00007FFC3DA42335
                      Source: C:\Users\user\AppData\Local\Temp\general.exeCode function: 22_2_00007FFC3DA616B922_2_00007FFC3DA616B9
                      Source: C:\Users\user\AppData\Local\Temp\general.exeCode function: 22_2_00007FFC3DA60E9E22_2_00007FFC3DA60E9E
                      Source: C:\Users\user\AppData\Local\Temp\general.exeCode function: 22_2_00007FFC3DA6233522_2_00007FFC3DA62335
                      Source: C:\Users\user\AppData\Local\Temp\general.exeCode function: 23_2_00007FFC3DA516B923_2_00007FFC3DA516B9
                      Source: C:\Users\user\AppData\Local\Temp\general.exeCode function: 23_2_00007FFC3DA5233523_2_00007FFC3DA52335
                      Source: C:\Users\user\AppData\Local\Temp\general.exeCode function: 26_2_00007FFC3DA416B926_2_00007FFC3DA416B9
                      Source: C:\Users\user\AppData\Local\Temp\general.exeCode function: 26_2_00007FFC3DA4233526_2_00007FFC3DA42335
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7652 -s 3044
                      Source: general2.exe, 00000000.00000002.1172318307.0000000003041000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWizClient.exe4 vs general2.exe
                      Source: general2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 1.0.general.exe.290000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                      Source: 1.0.general.exe.290000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.2.general2.exe.3061820.1.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                      Source: 0.2.general2.exe.3061820.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.2.general2.exe.3073c60.2.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                      Source: 0.2.general2.exe.3073c60.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000001.00000000.1169504558.0000000000292000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000000.00000002.1172318307.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: C:\Users\user\AppData\Local\Temp\general.exe, type: DROPPEDMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                      Source: C:\Users\user\AppData\Local\Temp\general.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: C:\Users\user\AppData\Roaming\general.exe, type: DROPPEDMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                      Source: C:\Users\user\AppData\Roaming\general.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: general2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: general2.exe, DihqPjvRTDpERhx7eae2ShBNXdOJgr5XMzf0y7kyU2ilEytRHGBzEUlCNYiUv81v4oDnCXe3z.csCryptographic APIs: 'TransformFinalBlock'
                      Source: general.exe.0.dr, A1Ugt8n7PUM.csCryptographic APIs: 'TransformFinalBlock'
                      Source: general.exe.0.dr, A1Ugt8n7PUM.csCryptographic APIs: 'TransformFinalBlock'
                      Source: general.exe.0.dr, 7z6LSgbEFjS.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, A1Ugt8n7PUM.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, A1Ugt8n7PUM.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, 7z6LSgbEFjS.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, A1Ugt8n7PUM.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, A1Ugt8n7PUM.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, 7z6LSgbEFjS.csCryptographic APIs: 'TransformFinalBlock'
                      Source: general.exe.1.dr, A1Ugt8n7PUM.csCryptographic APIs: 'TransformFinalBlock'
                      Source: general.exe.1.dr, A1Ugt8n7PUM.csCryptographic APIs: 'TransformFinalBlock'
                      Source: general.exe.0.dr, XdZfEHpGMrm.csBase64 encoded string: 'i+Lded5+BlK21VSN4ZyCfLS/Y2UCCGwLXAv0ka/MVUfWt+I6TlunwGXz8SynhRvD', 'HECX+FVjPwQQhYuLkwKFWDBWRxAi6sdLDKZVVOy/18yWfH7qWlXb89VfYjo6CQxG', 'u5fftZ+SecJQ4NZ3W9mNNVKkrGmXhW0y/zRAlxAoMmRIj1nI3WtCRFIE2nBPFwVk'
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, XdZfEHpGMrm.csBase64 encoded string: 'i+Lded5+BlK21VSN4ZyCfLS/Y2UCCGwLXAv0ka/MVUfWt+I6TlunwGXz8SynhRvD', 'HECX+FVjPwQQhYuLkwKFWDBWRxAi6sdLDKZVVOy/18yWfH7qWlXb89VfYjo6CQxG', 'u5fftZ+SecJQ4NZ3W9mNNVKkrGmXhW0y/zRAlxAoMmRIj1nI3WtCRFIE2nBPFwVk'
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, XdZfEHpGMrm.csBase64 encoded string: 'i+Lded5+BlK21VSN4ZyCfLS/Y2UCCGwLXAv0ka/MVUfWt+I6TlunwGXz8SynhRvD', 'HECX+FVjPwQQhYuLkwKFWDBWRxAi6sdLDKZVVOy/18yWfH7qWlXb89VfYjo6CQxG', 'u5fftZ+SecJQ4NZ3W9mNNVKkrGmXhW0y/zRAlxAoMmRIj1nI3WtCRFIE2nBPFwVk'
                      Source: general.exe.1.dr, XdZfEHpGMrm.csBase64 encoded string: 'i+Lded5+BlK21VSN4ZyCfLS/Y2UCCGwLXAv0ka/MVUfWt+I6TlunwGXz8SynhRvD', 'HECX+FVjPwQQhYuLkwKFWDBWRxAi6sdLDKZVVOy/18yWfH7qWlXb89VfYjo6CQxG', 'u5fftZ+SecJQ4NZ3W9mNNVKkrGmXhW0y/zRAlxAoMmRIj1nI3WtCRFIE2nBPFwVk'
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, FesmP3Aza9d.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, FesmP3Aza9d.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: general.exe.1.dr, FesmP3Aza9d.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: general.exe.1.dr, FesmP3Aza9d.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, FesmP3Aza9d.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, FesmP3Aza9d.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: general.exe.0.dr, FesmP3Aza9d.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: general.exe.0.dr, FesmP3Aza9d.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@27/30@4/5
                      Source: C:\Users\user\Desktop\general2.exeFile created: C:\Users\user\AppData\Roaming\general.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
                      Source: C:\Users\user\AppData\Local\Temp\general.exeMutant created: NULL
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7652
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_03
                      Source: C:\Users\user\Desktop\general2.exeMutant created: \Sessions\1\BaseNamedObjects\zJhuxZSdcu6KNcawA
                      Source: C:\Users\user\AppData\Roaming\general.exeMutant created: \Sessions\1\BaseNamedObjects\IAW25BNkuuc9r8Ta
                      Source: C:\Users\user\AppData\Roaming\general.exeFile created: C:\Users\user\AppData\Local\Temp\general.exeJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\general.bat" "
                      Source: general2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: general2.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\Desktop\general2.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: general2.exeVirustotal: Detection: 58%
                      Source: general2.exeReversingLabs: Detection: 65%
                      Source: unknownProcess created: C:\Users\user\Desktop\general2.exe "C:\Users\user\Desktop\general2.exe"
                      Source: C:\Users\user\Desktop\general2.exeProcess created: C:\Users\user\AppData\Roaming\general.exe "C:\Users\user\AppData\Roaming\general.exe"
                      Source: C:\Users\user\Desktop\general2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\general.bat" "
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\general.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'general.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\general.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "general" /tr "C:\Users\user\AppData\Local\Temp\general.exe"
                      Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\general.exe "C:\Users\user\AppData\Local\Temp\general.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\general.exe C:\Users\user\AppData\Local\Temp\general.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\general.exe "C:\Users\user\AppData\Local\Temp\general.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\general.exe C:\Users\user\AppData\Local\Temp\general.exe
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7652 -s 3044
                      Source: C:\Users\user\Desktop\general2.exeProcess created: C:\Users\user\AppData\Roaming\general.exe "C:\Users\user\AppData\Roaming\general.exe" Jump to behavior
                      Source: C:\Users\user\Desktop\general2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\general.bat" "Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\general.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'general.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\general.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "general" /tr "C:\Users\user\AppData\Local\Temp\general.exe"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: ntshrui.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: avicap32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: msvfw32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: ndfapi.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: wdi.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: duser.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: xmllite.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: atlthunk.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                      Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Local\Temp\general.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\Desktop\general2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                      Source: general.lnk.1.drLNK file: ..\..\..\..\..\..\Local\Temp\general.exe
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\general2.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: general2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: general2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbdY source: general.exe, 00000001.00000002.2465038991.000000001C588000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: System.Xml.ni.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: general.exe, 00000001.00000002.2463196802.000000001BFA0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: System.Windows.Forms.ni.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: System.Drawing.ni.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: System.Configuration.ni.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: general.exe, 00000001.00000002.2465038991.000000001C588000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: System.Configuration.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: symbols\dll\mscorlib.pdbpdb` source: general.exe, 00000001.00000002.2465038991.000000001C588000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: System.Drawing.ni.pdbRSDS source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: System.Xml.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: System.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: System.Xml.ni.pdbRSDS# source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: 0C:\Windows\mscorlib.pdb source: general.exe, 00000001.00000002.2465038991.000000001C588000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: System.Windows.Forms.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: mscorlib.pdb` source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: general.exe, 00000001.00000002.2456960545.000000001B4BF000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: mscorlib.pdb source: general.exe, 00000001.00000002.2456960545.000000001B538000.00000004.00000020.00020000.00000000.sdmp, general.exe, 00000001.00000002.2409108662.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, WER92C7.tmp.dmp.29.dr
                      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: general.exe, 00000001.00000002.2456960545.000000001B538000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: System.Drawing.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: System.Management.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: mscorlib.ni.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: general.exe, 00000001.00000002.2409108662.0000000000702000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Management.ni.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: System.Core.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbx source: general.exe, 00000001.00000002.2463196802.000000001BFA0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Xml.pdbz source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: indoC:\Windows\mscorlib.pdb source: general.exe, 00000001.00000002.2465038991.000000001C588000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: System.ni.pdb source: WER92C7.tmp.dmp.29.dr
                      Source: Binary string: System.Core.ni.pdbRSDS source: WER92C7.tmp.dmp.29.dr

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: general.exe.0.dr, tSVEs2o8qQK.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{XdZfEHpGMrm.ZUFQHGsc1y2,XdZfEHpGMrm.mkaUdPkSyE6,XdZfEHpGMrm.iexcIW94K1Y,XdZfEHpGMrm.aIJ3fLXyJZO,A1Ugt8n7PUM._65P5cDNu2kq()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: general.exe.0.dr, tSVEs2o8qQK.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{OqQ76b3dEjT[2],A1Ugt8n7PUM.xhL4qg2zgne(Convert.FromBase64String(OqQ76b3dEjT[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: general.exe.0.dr, tSVEs2o8qQK.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { OqQ76b3dEjT[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, tSVEs2o8qQK.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{XdZfEHpGMrm.ZUFQHGsc1y2,XdZfEHpGMrm.mkaUdPkSyE6,XdZfEHpGMrm.iexcIW94K1Y,XdZfEHpGMrm.aIJ3fLXyJZO,A1Ugt8n7PUM._65P5cDNu2kq()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, tSVEs2o8qQK.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{OqQ76b3dEjT[2],A1Ugt8n7PUM.xhL4qg2zgne(Convert.FromBase64String(OqQ76b3dEjT[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, tSVEs2o8qQK.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { OqQ76b3dEjT[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, tSVEs2o8qQK.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{XdZfEHpGMrm.ZUFQHGsc1y2,XdZfEHpGMrm.mkaUdPkSyE6,XdZfEHpGMrm.iexcIW94K1Y,XdZfEHpGMrm.aIJ3fLXyJZO,A1Ugt8n7PUM._65P5cDNu2kq()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, tSVEs2o8qQK.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{OqQ76b3dEjT[2],A1Ugt8n7PUM.xhL4qg2zgne(Convert.FromBase64String(OqQ76b3dEjT[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, tSVEs2o8qQK.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { OqQ76b3dEjT[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: general.exe.1.dr, tSVEs2o8qQK.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{XdZfEHpGMrm.ZUFQHGsc1y2,XdZfEHpGMrm.mkaUdPkSyE6,XdZfEHpGMrm.iexcIW94K1Y,XdZfEHpGMrm.aIJ3fLXyJZO,A1Ugt8n7PUM._65P5cDNu2kq()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: general.exe.1.dr, tSVEs2o8qQK.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{OqQ76b3dEjT[2],A1Ugt8n7PUM.xhL4qg2zgne(Convert.FromBase64String(OqQ76b3dEjT[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: general.exe.1.dr, tSVEs2o8qQK.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { OqQ76b3dEjT[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      .NET source code contains potential unpacker
                      Source: general.exe.0.dr, tSVEs2o8qQK.cs.Net Code: PlpQ2xjY0Yu System.AppDomain.Load(byte[])
                      Source: general.exe.0.dr, tSVEs2o8qQK.cs.Net Code: D7DwKbZ4GdZ System.AppDomain.Load(byte[])
                      Source: general.exe.0.dr, tSVEs2o8qQK.cs.Net Code: D7DwKbZ4GdZ
                      Source: general.exe.0.dr, A1Ugt8n7PUM.cs.Net Code: p4iUc8GogHP System.AppDomain.Load(byte[])
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, tSVEs2o8qQK.cs.Net Code: PlpQ2xjY0Yu System.AppDomain.Load(byte[])
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, tSVEs2o8qQK.cs.Net Code: D7DwKbZ4GdZ System.AppDomain.Load(byte[])
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, tSVEs2o8qQK.cs.Net Code: D7DwKbZ4GdZ
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, A1Ugt8n7PUM.cs.Net Code: p4iUc8GogHP System.AppDomain.Load(byte[])
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, tSVEs2o8qQK.cs.Net Code: PlpQ2xjY0Yu System.AppDomain.Load(byte[])
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, tSVEs2o8qQK.cs.Net Code: D7DwKbZ4GdZ System.AppDomain.Load(byte[])
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, tSVEs2o8qQK.cs.Net Code: D7DwKbZ4GdZ
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, A1Ugt8n7PUM.cs.Net Code: p4iUc8GogHP System.AppDomain.Load(byte[])
                      Source: general.exe.1.dr, tSVEs2o8qQK.cs.Net Code: PlpQ2xjY0Yu System.AppDomain.Load(byte[])
                      Source: general.exe.1.dr, tSVEs2o8qQK.cs.Net Code: D7DwKbZ4GdZ System.AppDomain.Load(byte[])
                      Source: general.exe.1.dr, tSVEs2o8qQK.cs.Net Code: D7DwKbZ4GdZ
                      Source: general.exe.1.dr, A1Ugt8n7PUM.cs.Net Code: p4iUc8GogHP System.AppDomain.Load(byte[])
                      Source: C:\Users\user\Desktop\general2.exeCode function: 0_2_00007FFC3DA400BD pushad ; iretd 0_2_00007FFC3DA400C1
                      Source: C:\Users\user\AppData\Roaming\general.exeCode function: 1_2_00007FFC3DA700BD pushad ; iretd 1_2_00007FFC3DA700C1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFC3D95D2A5 pushad ; iretd 5_2_00007FFC3D95D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFC3DA700BD pushad ; iretd 5_2_00007FFC3DA700C1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFC3DB42316 push 8B485F91h; iretd 5_2_00007FFC3DB4231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFC3D94D2A5 pushad ; iretd 14_2_00007FFC3D94D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFC3DA6A64B push ebp; retf 14_2_00007FFC3DA6A67A
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFC3DA6A5AC push ecx; retf 14_2_00007FFC3DA6A5AD
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFC3DA6A5E5 push ecx; retf 14_2_00007FFC3DA6A5E6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFC3DA6A525 push ecx; retf 14_2_00007FFC3DA6A57A
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFC3DA6A56C push ecx; retf 14_2_00007FFC3DA6A57A
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFC3DA600BD pushad ; iretd 14_2_00007FFC3DA600C1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFC3DA6A74B push edi; retf 14_2_00007FFC3DA6A77A
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFC3D93D2A5 pushad ; iretd 17_2_00007FFC3D93D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFC3DA500BD pushad ; iretd 17_2_00007FFC3DA500C1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFC3DA58AF2 push edx; retf 17_2_00007FFC3DA58AFA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFC3DA58AE9 push ecx; retf 17_2_00007FFC3DA58AEA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFC3DA58AD7 push eax; retf 17_2_00007FFC3DA58ADA
                      Source: C:\Users\user\AppData\Local\Temp\general.exeCode function: 21_2_00007FFC3DA400BD pushad ; iretd 21_2_00007FFC3DA400C1
                      Source: C:\Users\user\AppData\Local\Temp\general.exeCode function: 22_2_00007FFC3DA600BD pushad ; iretd 22_2_00007FFC3DA600C1
                      Source: C:\Users\user\AppData\Local\Temp\general.exeCode function: 23_2_00007FFC3DA500BD pushad ; iretd 23_2_00007FFC3DA500C1
                      Source: C:\Users\user\AppData\Local\Temp\general.exeCode function: 26_2_00007FFC3DA400BD pushad ; iretd 26_2_00007FFC3DA400C1
                      Source: general2.exeStatic PE information: section name: .text entropy: 7.889626149827764
                      Source: general2.exe, DihqPjvRTDpERhx7eae2ShBNXdOJgr5XMzf0y7kyU2ilEytRHGBzEUlCNYiUv81v4oDnCXe3z.csHigh entropy of concatenated method names: 'iwXIIIpCty3vi2DX0EFw6jFYk4UsSD8qDuRxqZOxyONXZ7VU9xXfm9BEVRHr2XsGNA92QX7wy', 'YTEbToSloHb72Pym1tj3lZvPv28zaSWKad9OaTR91343diyZCADCvqDb38v2LMEXShn6KL6ZP', 'kZbvWBWTBhrU4SsYwDnXntZR3vQd53YeDVnnHOlwKy4KCLF9VG7xUaV9fN5Cp2pPvZd6zdRXV', 'nHr24dzYWiktztJKFULDoQj8d4GQDFpTP1HGyYlep1b5ZTcUQifUK6hvs1vi73M1xE2zPjvEc', 'iHpVhP5HZTbtrL5plSvDvLkQOhIJki5iwHUHpgTRnFolzHdwdQps00tAVm8P3GQuAchKnVxwm', 'FGqk4mYFdiXEv1rB0lWhY6xt4NcNn7wAlB7hr58ThSVTji0EkvpEEcoVeWK10FLjPjYkit8pz', 'tH39aSVFlPs1cgT9taonQACItGcYEZhqSxWgxI4MkFKrWhFCeMxDVCi71pfyPmeXkqt4MIgRT', '_0HMJlG11fBzt3TZRJNqLlGUUUQuQd2JoiwaQHbYV87GjGuWFdPWp7ZQcLXJ8iBgfWbsLUtgo5', '_9793PZZ9rns9dQ7vDibUtpYetUiePqGhiigAXjYjm8gffwqu4hx1xojM6F4hwcKmZ8ci41pup', '_6dUO47nF5wsnEy2ItlzyabAghVVWS6DkePlXNYtL3KeMecpn6GqQkyg9dNmCEszIXDdca3zvi'
                      Source: general2.exe, OdW7Gk12ClLuagwaH7FyG6UbWDrEnBbuPOA9PQbFCq9Ayj7nLUr2ARMmuyLnoDf1qH4AqMAgk.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_2T5ti22Vuw9IhVcXvLxFEcVT6WIif7061qIBGs3qNU25VuAX0lMlhkILGlMzGtO0hfjT2xqlj', 'hwMf0YqEH4bNNU81nwaYTfbw2rB2gt9ekRcnP1Rw96LSAhZ3GhCgqRTeTsc0cCL3OPN7ajirA', 'muS4I9hNujkbUyRYMronPvilsBf8h0eWEoyDwOu7xzxNtryqMV8K0eSpQm2qdzbxMRXqkSZ01', 'TXzVO3rIrqEWXfoE8MGX5ClYnt0TsCdJ6WIZ9B1kHc2QkndY2VUXXFSHL1RhDipFyEQdmer4g'
                      Source: general.exe.0.dr, XdZfEHpGMrm.csHigh entropy of concatenated method names: 'DQs6fBA9BXi48xsvUTc2iCPgLPFkWqQIP8ZPjqTjThjRz8kcfXC8ccMFxKBf7o9vMPn8CSDl46pKFw2qNEqR6x', 'CVyy8VWjonTZ2qFg4ZXUYbxzA6zrtR8wYkoR35UNxSEwQ5Tf7kxDlX68MTaKDEkq6PGSOWC70XKFl3QCl5vYMz', 'DZFGLibP0oP8eLEsI8nLbmeovmxDdiv2bi8SLcsFRq226NSKYwU6jpjxN6xjEtXGDKGYlsfupchqLQoHowo0oQ', 'UrX59REjtULmlcltriVTyO4A7JmXJePAl3SQZLrnIwGeK9DqN9YbhSC95pVw60VXfb3PXxOF2QkU5vty77XQZy'
                      Source: general.exe.0.dr, EMckcO7CUGa.csHigh entropy of concatenated method names: 'pqliOUYHsoC', 'oN1KQe8lGC4', 'd8TfZFp3Jxx', 'YBpBsRwytsqICN9ABXtTAWW1qXJSsby3Z6nMT8m2xRPTxWQmidIKg31qBoPky', 'iREISeH18R1ZuJv5ESgrRwrfmTFWKVY3vdD8wFCmMtZCpEQybwTExp32Y87oA', 'VG8B1GsUMDD5U7XtYqZrkQeVdQJxT3E6NeAVzshEwVoNzCNhHrf75mftzwNwA', 'ql1s7pnjieUz4mUdUT09TWGMbAprTJu6zUS707CoNATwpZ5BEuC5FS2M5yagf', 'zwZQNS4ApCFmLQqZM8FvCLer2nrWeCB9lyaFF53LiSvhfRbu6Oc5S6D3nRkPo', 'QxofHaCm6Bz7hQUNgAxO1Sy1ZRbsJweu5MfUavRcucl8QXduaRtkG3V91ldSW', 'tdrL70uDe2Diw7unt0sroqExdkMA904UREAinGD6nJHx1md36FOhdY9o1MQS7'
                      Source: general.exe.0.dr, s1XEUkW2pfCzLQDXoIwe495yOObsB7imj7W7QYHoJjeXBEWu1OVMBKIxGpRkl6LEhiwW0.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'cMg5z1oLITFddBXdezdXGipJZREND7Pvr6OmkEv6YoTiHQTsQy2SrY08nA8lgwxdtyT5vWrZ1D9PFGoF5s2BNL', 'OLaHFkdoQJSMjKcr2ulfUACRY5Or3VesubkyugnlGXtU1CDcAoRbhDrG4Ckf2vlvvtqSK3YwqbzDGby08LspnG', '_2OspHhF4W5mN36Ur4qfIygi7D6UyMiQ0nJqF6Rla4If2Wl4UgSkNs51UjLBgq4R7IF4DaisJR0KVuyh7q5GNVn', '_1r1jDz9CTd75tuDQMYTugf3KP4UDlRKNOzt8EUU6o3SjD72FTDr9f6plGbDf2ok4ACgPTAFuZTQZeZ4acld0II'
                      Source: general.exe.0.dr, FmWj75oEetm.csHigh entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'prXZJ8lYVDU', 'LpOuJAb7H7hvRMdBVQ1AnaODmZFe', 'XnDomnyD2KrKgztSu0n8UgcyTtMr', '_5qAjOufp4L6I1T0lMBnmu3dUGIfT', 'rKegVYWo67YPPc243eop1fzYWZa9'
                      Source: general.exe.0.dr, MPa6Xr0AQZC.csHigh entropy of concatenated method names: '_6GJVgQM8ptZ', 'Uem2lyvitHQ', 'LwA1Ll1CEEddV47RmDUB5Yj4KPMy', 'xMNrPIaDJbC7HdOcmntyD77XmEqe', 'UUf2ewjfCbPiFGAflcvfzRGlSkQG', 'NqGWGNbLp8mIYt5hWK4rMAFCSL56'
                      Source: general.exe.0.dr, tSVEs2o8qQK.csHigh entropy of concatenated method names: 'QQdqdwEzwib', 'PlpQ2xjY0Yu', 'HgLRuS16jhU', 'zsQ2UJtzolS', 'PNxIzAlBrv2', 'v5EVct5tPPJ', 'UttU7w2EINj', 'UhRzgrDfxOy', '_4D1663jKxhk', 'ZDElxlR2TbR'
                      Source: general.exe.0.dr, oLciS9U7F8J.csHigh entropy of concatenated method names: 'V7vZhTMJzl9', 'oWqCd5BBEjh', 'G4IvTHq7vFh', 'zyHixVgVu3U', 'hxOkwmFNJML', '_9ZGEoWFw2Yd', 'DsVF7W4N6O1', 'AnzZfRiGTgu', 'IiVmSm1uOum', '_2fU6Clf7cUk'
                      Source: general.exe.0.dr, FesmP3Aza9d.csHigh entropy of concatenated method names: '_6vsMeptCbpv', 'sSPVo6tUmJu', 'dnBOevtILiX', '_0ltWRJ4t5ce', 'IUwWLSpCTWJ', 'wmL279qXtuI', '_3SevEQx02uf', 'pNd7xyhpi0O', 'HAdlIvjtPKH', 'M1pZzA8m5tI'
                      Source: general.exe.0.dr, A1Ugt8n7PUM.csHigh entropy of concatenated method names: 'C0wo8T890AP', 'kkLtkVuscjB', '_4uEBk2afzGG', 'OWkdxM5AvKC', 'V8BiFvVfWEw', 'NMsttSLJYd1', 'gc1KRSHaC1X', 'ya3YoJcl4DG', 'pxfwzOlrv6w', '_5fMIOHRWH14'
                      Source: general.exe.0.dr, km6uzU2PJfC.csHigh entropy of concatenated method names: '_33ClyxylmpT', 'oWrFf3GwLzJ', 'WW4RrUPouxv', 'ZSs7XEfPb5N', 'Za6uTmQ6gRu', 'EGqjsVqKxJc', 'HZSIwTobkCH', 'VDIILCBnb0b', '_30sQFmtMkbt', '_2DHvX8i8xXH'
                      Source: general.exe.0.dr, WVVv3SSHvfS.csHigh entropy of concatenated method names: 'T7A1IkzhkIA', 'SRidmsVPLye', 'Jn6iXm1R3Jg', '_3XAMaQy2UXMLxjY6nDX6fzQnKesV', 'HKhf5kxG9SQlmpxxPOFDKhPPkt0E', 'D8N5hXFIud6X0f3445kJ3V8PJ1fY', 'M1cPiPPIob5NFuX4p12gnGpQbjrU', 'k8ibfBeIUT3kvmiyq2q4MunLO7Ej', '_0DOxrZIHYBMehv1nUO4sb5cn4BBj', 'S9VHLccOmQF3AEoelWKMEdSUulJp'
                      Source: general.exe.0.dr, eCzk9tVJCnA.csHigh entropy of concatenated method names: 'kLodWjV5GDN', 'u3RqEbrppQv', 'cM8IBb03upE', '_5pDdQVaE5eJ', '_54cEAmTAZjfM7WrEI9qANKz7KxI2', 'o5Ihkex9rQAZ6R6Wz6Mry8Z6jmQL', 'wJ4iZRjf3jsKaK2zGXeQ3tmHPZrT', 'RkFy8x9f6L0C2lnwpg99cmwrzUED', 'MA1sbMrks8xs30jDXEMOdFNjhAbh', 'gr9Pm2upLExSPHZtJQftttKU8rrt'
                      Source: general.exe.0.dr, 7z6LSgbEFjS.csHigh entropy of concatenated method names: 'F2FiFjSw04D', 'bYVuPAlRtqOBwNNkFp7x45kBOpKW', 'coqFBwJ4ORVOG33lOBaETj2xbUnp', 'bfwawa0dlYXCsTXbV8xyTt0dqyuy', 'CQw7zqrd295s51xWEJtxImGHVxrQ'
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, XdZfEHpGMrm.csHigh entropy of concatenated method names: 'DQs6fBA9BXi48xsvUTc2iCPgLPFkWqQIP8ZPjqTjThjRz8kcfXC8ccMFxKBf7o9vMPn8CSDl46pKFw2qNEqR6x', 'CVyy8VWjonTZ2qFg4ZXUYbxzA6zrtR8wYkoR35UNxSEwQ5Tf7kxDlX68MTaKDEkq6PGSOWC70XKFl3QCl5vYMz', 'DZFGLibP0oP8eLEsI8nLbmeovmxDdiv2bi8SLcsFRq226NSKYwU6jpjxN6xjEtXGDKGYlsfupchqLQoHowo0oQ', 'UrX59REjtULmlcltriVTyO4A7JmXJePAl3SQZLrnIwGeK9DqN9YbhSC95pVw60VXfb3PXxOF2QkU5vty77XQZy'
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, EMckcO7CUGa.csHigh entropy of concatenated method names: 'pqliOUYHsoC', 'oN1KQe8lGC4', 'd8TfZFp3Jxx', 'YBpBsRwytsqICN9ABXtTAWW1qXJSsby3Z6nMT8m2xRPTxWQmidIKg31qBoPky', 'iREISeH18R1ZuJv5ESgrRwrfmTFWKVY3vdD8wFCmMtZCpEQybwTExp32Y87oA', 'VG8B1GsUMDD5U7XtYqZrkQeVdQJxT3E6NeAVzshEwVoNzCNhHrf75mftzwNwA', 'ql1s7pnjieUz4mUdUT09TWGMbAprTJu6zUS707CoNATwpZ5BEuC5FS2M5yagf', 'zwZQNS4ApCFmLQqZM8FvCLer2nrWeCB9lyaFF53LiSvhfRbu6Oc5S6D3nRkPo', 'QxofHaCm6Bz7hQUNgAxO1Sy1ZRbsJweu5MfUavRcucl8QXduaRtkG3V91ldSW', 'tdrL70uDe2Diw7unt0sroqExdkMA904UREAinGD6nJHx1md36FOhdY9o1MQS7'
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, s1XEUkW2pfCzLQDXoIwe495yOObsB7imj7W7QYHoJjeXBEWu1OVMBKIxGpRkl6LEhiwW0.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'cMg5z1oLITFddBXdezdXGipJZREND7Pvr6OmkEv6YoTiHQTsQy2SrY08nA8lgwxdtyT5vWrZ1D9PFGoF5s2BNL', 'OLaHFkdoQJSMjKcr2ulfUACRY5Or3VesubkyugnlGXtU1CDcAoRbhDrG4Ckf2vlvvtqSK3YwqbzDGby08LspnG', '_2OspHhF4W5mN36Ur4qfIygi7D6UyMiQ0nJqF6Rla4If2Wl4UgSkNs51UjLBgq4R7IF4DaisJR0KVuyh7q5GNVn', '_1r1jDz9CTd75tuDQMYTugf3KP4UDlRKNOzt8EUU6o3SjD72FTDr9f6plGbDf2ok4ACgPTAFuZTQZeZ4acld0II'
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, FmWj75oEetm.csHigh entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'prXZJ8lYVDU', 'LpOuJAb7H7hvRMdBVQ1AnaODmZFe', 'XnDomnyD2KrKgztSu0n8UgcyTtMr', '_5qAjOufp4L6I1T0lMBnmu3dUGIfT', 'rKegVYWo67YPPc243eop1fzYWZa9'
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, MPa6Xr0AQZC.csHigh entropy of concatenated method names: '_6GJVgQM8ptZ', 'Uem2lyvitHQ', 'LwA1Ll1CEEddV47RmDUB5Yj4KPMy', 'xMNrPIaDJbC7HdOcmntyD77XmEqe', 'UUf2ewjfCbPiFGAflcvfzRGlSkQG', 'NqGWGNbLp8mIYt5hWK4rMAFCSL56'
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, tSVEs2o8qQK.csHigh entropy of concatenated method names: 'QQdqdwEzwib', 'PlpQ2xjY0Yu', 'HgLRuS16jhU', 'zsQ2UJtzolS', 'PNxIzAlBrv2', 'v5EVct5tPPJ', 'UttU7w2EINj', 'UhRzgrDfxOy', '_4D1663jKxhk', 'ZDElxlR2TbR'
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, oLciS9U7F8J.csHigh entropy of concatenated method names: 'V7vZhTMJzl9', 'oWqCd5BBEjh', 'G4IvTHq7vFh', 'zyHixVgVu3U', 'hxOkwmFNJML', '_9ZGEoWFw2Yd', 'DsVF7W4N6O1', 'AnzZfRiGTgu', 'IiVmSm1uOum', '_2fU6Clf7cUk'
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, FesmP3Aza9d.csHigh entropy of concatenated method names: '_6vsMeptCbpv', 'sSPVo6tUmJu', 'dnBOevtILiX', '_0ltWRJ4t5ce', 'IUwWLSpCTWJ', 'wmL279qXtuI', '_3SevEQx02uf', 'pNd7xyhpi0O', 'HAdlIvjtPKH', 'M1pZzA8m5tI'
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, A1Ugt8n7PUM.csHigh entropy of concatenated method names: 'C0wo8T890AP', 'kkLtkVuscjB', '_4uEBk2afzGG', 'OWkdxM5AvKC', 'V8BiFvVfWEw', 'NMsttSLJYd1', 'gc1KRSHaC1X', 'ya3YoJcl4DG', 'pxfwzOlrv6w', '_5fMIOHRWH14'
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, km6uzU2PJfC.csHigh entropy of concatenated method names: '_33ClyxylmpT', 'oWrFf3GwLzJ', 'WW4RrUPouxv', 'ZSs7XEfPb5N', 'Za6uTmQ6gRu', 'EGqjsVqKxJc', 'HZSIwTobkCH', 'VDIILCBnb0b', '_30sQFmtMkbt', '_2DHvX8i8xXH'
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, WVVv3SSHvfS.csHigh entropy of concatenated method names: 'T7A1IkzhkIA', 'SRidmsVPLye', 'Jn6iXm1R3Jg', '_3XAMaQy2UXMLxjY6nDX6fzQnKesV', 'HKhf5kxG9SQlmpxxPOFDKhPPkt0E', 'D8N5hXFIud6X0f3445kJ3V8PJ1fY', 'M1cPiPPIob5NFuX4p12gnGpQbjrU', 'k8ibfBeIUT3kvmiyq2q4MunLO7Ej', '_0DOxrZIHYBMehv1nUO4sb5cn4BBj', 'S9VHLccOmQF3AEoelWKMEdSUulJp'
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, eCzk9tVJCnA.csHigh entropy of concatenated method names: 'kLodWjV5GDN', 'u3RqEbrppQv', 'cM8IBb03upE', '_5pDdQVaE5eJ', '_54cEAmTAZjfM7WrEI9qANKz7KxI2', 'o5Ihkex9rQAZ6R6Wz6Mry8Z6jmQL', 'wJ4iZRjf3jsKaK2zGXeQ3tmHPZrT', 'RkFy8x9f6L0C2lnwpg99cmwrzUED', 'MA1sbMrks8xs30jDXEMOdFNjhAbh', 'gr9Pm2upLExSPHZtJQftttKU8rrt'
                      Source: 0.2.general2.exe.3073c60.2.raw.unpack, 7z6LSgbEFjS.csHigh entropy of concatenated method names: 'F2FiFjSw04D', 'bYVuPAlRtqOBwNNkFp7x45kBOpKW', 'coqFBwJ4ORVOG33lOBaETj2xbUnp', 'bfwawa0dlYXCsTXbV8xyTt0dqyuy', 'CQw7zqrd295s51xWEJtxImGHVxrQ'
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, XdZfEHpGMrm.csHigh entropy of concatenated method names: 'DQs6fBA9BXi48xsvUTc2iCPgLPFkWqQIP8ZPjqTjThjRz8kcfXC8ccMFxKBf7o9vMPn8CSDl46pKFw2qNEqR6x', 'CVyy8VWjonTZ2qFg4ZXUYbxzA6zrtR8wYkoR35UNxSEwQ5Tf7kxDlX68MTaKDEkq6PGSOWC70XKFl3QCl5vYMz', 'DZFGLibP0oP8eLEsI8nLbmeovmxDdiv2bi8SLcsFRq226NSKYwU6jpjxN6xjEtXGDKGYlsfupchqLQoHowo0oQ', 'UrX59REjtULmlcltriVTyO4A7JmXJePAl3SQZLrnIwGeK9DqN9YbhSC95pVw60VXfb3PXxOF2QkU5vty77XQZy'
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, EMckcO7CUGa.csHigh entropy of concatenated method names: 'pqliOUYHsoC', 'oN1KQe8lGC4', 'd8TfZFp3Jxx', 'YBpBsRwytsqICN9ABXtTAWW1qXJSsby3Z6nMT8m2xRPTxWQmidIKg31qBoPky', 'iREISeH18R1ZuJv5ESgrRwrfmTFWKVY3vdD8wFCmMtZCpEQybwTExp32Y87oA', 'VG8B1GsUMDD5U7XtYqZrkQeVdQJxT3E6NeAVzshEwVoNzCNhHrf75mftzwNwA', 'ql1s7pnjieUz4mUdUT09TWGMbAprTJu6zUS707CoNATwpZ5BEuC5FS2M5yagf', 'zwZQNS4ApCFmLQqZM8FvCLer2nrWeCB9lyaFF53LiSvhfRbu6Oc5S6D3nRkPo', 'QxofHaCm6Bz7hQUNgAxO1Sy1ZRbsJweu5MfUavRcucl8QXduaRtkG3V91ldSW', 'tdrL70uDe2Diw7unt0sroqExdkMA904UREAinGD6nJHx1md36FOhdY9o1MQS7'
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, s1XEUkW2pfCzLQDXoIwe495yOObsB7imj7W7QYHoJjeXBEWu1OVMBKIxGpRkl6LEhiwW0.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'cMg5z1oLITFddBXdezdXGipJZREND7Pvr6OmkEv6YoTiHQTsQy2SrY08nA8lgwxdtyT5vWrZ1D9PFGoF5s2BNL', 'OLaHFkdoQJSMjKcr2ulfUACRY5Or3VesubkyugnlGXtU1CDcAoRbhDrG4Ckf2vlvvtqSK3YwqbzDGby08LspnG', '_2OspHhF4W5mN36Ur4qfIygi7D6UyMiQ0nJqF6Rla4If2Wl4UgSkNs51UjLBgq4R7IF4DaisJR0KVuyh7q5GNVn', '_1r1jDz9CTd75tuDQMYTugf3KP4UDlRKNOzt8EUU6o3SjD72FTDr9f6plGbDf2ok4ACgPTAFuZTQZeZ4acld0II'
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, FmWj75oEetm.csHigh entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'prXZJ8lYVDU', 'LpOuJAb7H7hvRMdBVQ1AnaODmZFe', 'XnDomnyD2KrKgztSu0n8UgcyTtMr', '_5qAjOufp4L6I1T0lMBnmu3dUGIfT', 'rKegVYWo67YPPc243eop1fzYWZa9'
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, MPa6Xr0AQZC.csHigh entropy of concatenated method names: '_6GJVgQM8ptZ', 'Uem2lyvitHQ', 'LwA1Ll1CEEddV47RmDUB5Yj4KPMy', 'xMNrPIaDJbC7HdOcmntyD77XmEqe', 'UUf2ewjfCbPiFGAflcvfzRGlSkQG', 'NqGWGNbLp8mIYt5hWK4rMAFCSL56'
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, tSVEs2o8qQK.csHigh entropy of concatenated method names: 'QQdqdwEzwib', 'PlpQ2xjY0Yu', 'HgLRuS16jhU', 'zsQ2UJtzolS', 'PNxIzAlBrv2', 'v5EVct5tPPJ', 'UttU7w2EINj', 'UhRzgrDfxOy', '_4D1663jKxhk', 'ZDElxlR2TbR'
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, oLciS9U7F8J.csHigh entropy of concatenated method names: 'V7vZhTMJzl9', 'oWqCd5BBEjh', 'G4IvTHq7vFh', 'zyHixVgVu3U', 'hxOkwmFNJML', '_9ZGEoWFw2Yd', 'DsVF7W4N6O1', 'AnzZfRiGTgu', 'IiVmSm1uOum', '_2fU6Clf7cUk'
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, FesmP3Aza9d.csHigh entropy of concatenated method names: '_6vsMeptCbpv', 'sSPVo6tUmJu', 'dnBOevtILiX', '_0ltWRJ4t5ce', 'IUwWLSpCTWJ', 'wmL279qXtuI', '_3SevEQx02uf', 'pNd7xyhpi0O', 'HAdlIvjtPKH', 'M1pZzA8m5tI'
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, A1Ugt8n7PUM.csHigh entropy of concatenated method names: 'C0wo8T890AP', 'kkLtkVuscjB', '_4uEBk2afzGG', 'OWkdxM5AvKC', 'V8BiFvVfWEw', 'NMsttSLJYd1', 'gc1KRSHaC1X', 'ya3YoJcl4DG', 'pxfwzOlrv6w', '_5fMIOHRWH14'
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, km6uzU2PJfC.csHigh entropy of concatenated method names: '_33ClyxylmpT', 'oWrFf3GwLzJ', 'WW4RrUPouxv', 'ZSs7XEfPb5N', 'Za6uTmQ6gRu', 'EGqjsVqKxJc', 'HZSIwTobkCH', 'VDIILCBnb0b', '_30sQFmtMkbt', '_2DHvX8i8xXH'
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, WVVv3SSHvfS.csHigh entropy of concatenated method names: 'T7A1IkzhkIA', 'SRidmsVPLye', 'Jn6iXm1R3Jg', '_3XAMaQy2UXMLxjY6nDX6fzQnKesV', 'HKhf5kxG9SQlmpxxPOFDKhPPkt0E', 'D8N5hXFIud6X0f3445kJ3V8PJ1fY', 'M1cPiPPIob5NFuX4p12gnGpQbjrU', 'k8ibfBeIUT3kvmiyq2q4MunLO7Ej', '_0DOxrZIHYBMehv1nUO4sb5cn4BBj', 'S9VHLccOmQF3AEoelWKMEdSUulJp'
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, eCzk9tVJCnA.csHigh entropy of concatenated method names: 'kLodWjV5GDN', 'u3RqEbrppQv', 'cM8IBb03upE', '_5pDdQVaE5eJ', '_54cEAmTAZjfM7WrEI9qANKz7KxI2', 'o5Ihkex9rQAZ6R6Wz6Mry8Z6jmQL', 'wJ4iZRjf3jsKaK2zGXeQ3tmHPZrT', 'RkFy8x9f6L0C2lnwpg99cmwrzUED', 'MA1sbMrks8xs30jDXEMOdFNjhAbh', 'gr9Pm2upLExSPHZtJQftttKU8rrt'
                      Source: 0.2.general2.exe.3061820.1.raw.unpack, 7z6LSgbEFjS.csHigh entropy of concatenated method names: 'F2FiFjSw04D', 'bYVuPAlRtqOBwNNkFp7x45kBOpKW', 'coqFBwJ4ORVOG33lOBaETj2xbUnp', 'bfwawa0dlYXCsTXbV8xyTt0dqyuy', 'CQw7zqrd295s51xWEJtxImGHVxrQ'
                      Source: general.exe.1.dr, XdZfEHpGMrm.csHigh entropy of concatenated method names: 'DQs6fBA9BXi48xsvUTc2iCPgLPFkWqQIP8ZPjqTjThjRz8kcfXC8ccMFxKBf7o9vMPn8CSDl46pKFw2qNEqR6x', 'CVyy8VWjonTZ2qFg4ZXUYbxzA6zrtR8wYkoR35UNxSEwQ5Tf7kxDlX68MTaKDEkq6PGSOWC70XKFl3QCl5vYMz', 'DZFGLibP0oP8eLEsI8nLbmeovmxDdiv2bi8SLcsFRq226NSKYwU6jpjxN6xjEtXGDKGYlsfupchqLQoHowo0oQ', 'UrX59REjtULmlcltriVTyO4A7JmXJePAl3SQZLrnIwGeK9DqN9YbhSC95pVw60VXfb3PXxOF2QkU5vty77XQZy'
                      Source: general.exe.1.dr, EMckcO7CUGa.csHigh entropy of concatenated method names: 'pqliOUYHsoC', 'oN1KQe8lGC4', 'd8TfZFp3Jxx', 'YBpBsRwytsqICN9ABXtTAWW1qXJSsby3Z6nMT8m2xRPTxWQmidIKg31qBoPky', 'iREISeH18R1ZuJv5ESgrRwrfmTFWKVY3vdD8wFCmMtZCpEQybwTExp32Y87oA', 'VG8B1GsUMDD5U7XtYqZrkQeVdQJxT3E6NeAVzshEwVoNzCNhHrf75mftzwNwA', 'ql1s7pnjieUz4mUdUT09TWGMbAprTJu6zUS707CoNATwpZ5BEuC5FS2M5yagf', 'zwZQNS4ApCFmLQqZM8FvCLer2nrWeCB9lyaFF53LiSvhfRbu6Oc5S6D3nRkPo', 'QxofHaCm6Bz7hQUNgAxO1Sy1ZRbsJweu5MfUavRcucl8QXduaRtkG3V91ldSW', 'tdrL70uDe2Diw7unt0sroqExdkMA904UREAinGD6nJHx1md36FOhdY9o1MQS7'
                      Source: general.exe.1.dr, s1XEUkW2pfCzLQDXoIwe495yOObsB7imj7W7QYHoJjeXBEWu1OVMBKIxGpRkl6LEhiwW0.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'cMg5z1oLITFddBXdezdXGipJZREND7Pvr6OmkEv6YoTiHQTsQy2SrY08nA8lgwxdtyT5vWrZ1D9PFGoF5s2BNL', 'OLaHFkdoQJSMjKcr2ulfUACRY5Or3VesubkyugnlGXtU1CDcAoRbhDrG4Ckf2vlvvtqSK3YwqbzDGby08LspnG', '_2OspHhF4W5mN36Ur4qfIygi7D6UyMiQ0nJqF6Rla4If2Wl4UgSkNs51UjLBgq4R7IF4DaisJR0KVuyh7q5GNVn', '_1r1jDz9CTd75tuDQMYTugf3KP4UDlRKNOzt8EUU6o3SjD72FTDr9f6plGbDf2ok4ACgPTAFuZTQZeZ4acld0II'
                      Source: general.exe.1.dr, FmWj75oEetm.csHigh entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'prXZJ8lYVDU', 'LpOuJAb7H7hvRMdBVQ1AnaODmZFe', 'XnDomnyD2KrKgztSu0n8UgcyTtMr', '_5qAjOufp4L6I1T0lMBnmu3dUGIfT', 'rKegVYWo67YPPc243eop1fzYWZa9'
                      Source: general.exe.1.dr, MPa6Xr0AQZC.csHigh entropy of concatenated method names: '_6GJVgQM8ptZ', 'Uem2lyvitHQ', 'LwA1Ll1CEEddV47RmDUB5Yj4KPMy', 'xMNrPIaDJbC7HdOcmntyD77XmEqe', 'UUf2ewjfCbPiFGAflcvfzRGlSkQG', 'NqGWGNbLp8mIYt5hWK4rMAFCSL56'
                      Source: general.exe.1.dr, tSVEs2o8qQK.csHigh entropy of concatenated method names: 'QQdqdwEzwib', 'PlpQ2xjY0Yu', 'HgLRuS16jhU', 'zsQ2UJtzolS', 'PNxIzAlBrv2', 'v5EVct5tPPJ', 'UttU7w2EINj', 'UhRzgrDfxOy', '_4D1663jKxhk', 'ZDElxlR2TbR'
                      Source: general.exe.1.dr, oLciS9U7F8J.csHigh entropy of concatenated method names: 'V7vZhTMJzl9', 'oWqCd5BBEjh', 'G4IvTHq7vFh', 'zyHixVgVu3U', 'hxOkwmFNJML', '_9ZGEoWFw2Yd', 'DsVF7W4N6O1', 'AnzZfRiGTgu', 'IiVmSm1uOum', '_2fU6Clf7cUk'
                      Source: general.exe.1.dr, FesmP3Aza9d.csHigh entropy of concatenated method names: '_6vsMeptCbpv', 'sSPVo6tUmJu', 'dnBOevtILiX', '_0ltWRJ4t5ce', 'IUwWLSpCTWJ', 'wmL279qXtuI', '_3SevEQx02uf', 'pNd7xyhpi0O', 'HAdlIvjtPKH', 'M1pZzA8m5tI'
                      Source: general.exe.1.dr, A1Ugt8n7PUM.csHigh entropy of concatenated method names: 'C0wo8T890AP', 'kkLtkVuscjB', '_4uEBk2afzGG', 'OWkdxM5AvKC', 'V8BiFvVfWEw', 'NMsttSLJYd1', 'gc1KRSHaC1X', 'ya3YoJcl4DG', 'pxfwzOlrv6w', '_5fMIOHRWH14'
                      Source: general.exe.1.dr, km6uzU2PJfC.csHigh entropy of concatenated method names: '_33ClyxylmpT', 'oWrFf3GwLzJ', 'WW4RrUPouxv', 'ZSs7XEfPb5N', 'Za6uTmQ6gRu', 'EGqjsVqKxJc', 'HZSIwTobkCH', 'VDIILCBnb0b', '_30sQFmtMkbt', '_2DHvX8i8xXH'
                      Source: general.exe.1.dr, WVVv3SSHvfS.csHigh entropy of concatenated method names: 'T7A1IkzhkIA', 'SRidmsVPLye', 'Jn6iXm1R3Jg', '_3XAMaQy2UXMLxjY6nDX6fzQnKesV', 'HKhf5kxG9SQlmpxxPOFDKhPPkt0E', 'D8N5hXFIud6X0f3445kJ3V8PJ1fY', 'M1cPiPPIob5NFuX4p12gnGpQbjrU', 'k8ibfBeIUT3kvmiyq2q4MunLO7Ej', '_0DOxrZIHYBMehv1nUO4sb5cn4BBj', 'S9VHLccOmQF3AEoelWKMEdSUulJp'
                      Source: general.exe.1.dr, eCzk9tVJCnA.csHigh entropy of concatenated method names: 'kLodWjV5GDN', 'u3RqEbrppQv', 'cM8IBb03upE', '_5pDdQVaE5eJ', '_54cEAmTAZjfM7WrEI9qANKz7KxI2', 'o5Ihkex9rQAZ6R6Wz6Mry8Z6jmQL', 'wJ4iZRjf3jsKaK2zGXeQ3tmHPZrT', 'RkFy8x9f6L0C2lnwpg99cmwrzUED', 'MA1sbMrks8xs30jDXEMOdFNjhAbh', 'gr9Pm2upLExSPHZtJQftttKU8rrt'
                      Source: general.exe.1.dr, 7z6LSgbEFjS.csHigh entropy of concatenated method names: 'F2FiFjSw04D', 'bYVuPAlRtqOBwNNkFp7x45kBOpKW', 'coqFBwJ4ORVOG33lOBaETj2xbUnp', 'bfwawa0dlYXCsTXbV8xyTt0dqyuy', 'CQw7zqrd295s51xWEJtxImGHVxrQ'
                      Source: C:\Users\user\AppData\Roaming\general.exeFile created: C:\Users\user\AppData\Local\Temp\general.exeJump to dropped file
                      Source: C:\Users\user\Desktop\general2.exeFile created: C:\Users\user\AppData\Roaming\general.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "general" /tr "C:\Users\user\AppData\Local\Temp\general.exe"
                      Source: C:\Users\user\AppData\Roaming\general.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\general.lnkJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\general.lnkJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run generalJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run generalJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Users\user\Desktop\general2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Check if machine is in data center or colocation facility
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: general2.exe, 00000000.00000002.1172318307.0000000003041000.00000004.00000800.00020000.00000000.sdmp, general.exe, 00000001.00000000.1169504558.0000000000292000.00000002.00000001.01000000.00000006.sdmp, general.exe, 00000001.00000002.2414573843.0000000002531000.00000004.00000800.00020000.00000000.sdmp, general.exe.1.dr, general.exe.0.drBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\general2.exeMemory allocated: 10D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\general2.exeMemory allocated: 1B040000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeMemory allocated: AE0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeMemory allocated: 1A530000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\general.exeMemory allocated: 840000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\general.exeMemory allocated: 1A390000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\general.exeMemory allocated: 2320000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\general.exeMemory allocated: 1A500000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\general.exeMemory allocated: 760000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\general.exeMemory allocated: 1A790000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\general.exeMemory allocated: 1290000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\general.exeMemory allocated: 1AD80000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\general2.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 599890Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 599781Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 599671Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 599562Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 599453Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 599343Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 599233Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 599121Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 599015Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 598906Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 598796Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 598687Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 598578Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 598468Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 598359Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 598249Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 598139Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 598030Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 597921Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 597762Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 597645Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 597500Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 597365Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 597234Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 597124Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 597015Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 596906Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 596796Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 596676Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 596546Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 596437Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 596325Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 596218Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 596109Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 595999Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 595890Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 595781Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\general.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\general.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\general.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\general.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\general.exeWindow / User API: threadDelayed 1623Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeWindow / User API: threadDelayed 8190Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6647Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3096Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7487
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2032
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7250
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2467
                      Source: C:\Users\user\Desktop\general2.exe TID: 7624Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -38738162554790034s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -600000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -599890s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -599781s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -599671s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -599562s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -599453s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -599343s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -599233s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -599121s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -599015s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -598906s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -598796s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -598687s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -598578s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -598468s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -598359s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -598249s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -598139s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -598030s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -597921s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -597762s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -597645s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -597500s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -597365s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -597234s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -597124s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -597015s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -596906s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -596796s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -596676s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -596546s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -596437s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -596325s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -596218s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -596109s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -595999s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -595890s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exe TID: 7944Thread sleep time: -595781s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8124Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 8016Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7860Thread sleep count: 7487 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7856Thread sleep count: 2032 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep time: -3689348814741908s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8096Thread sleep count: 7250 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8092Thread sleep count: 2467 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7904Thread sleep time: -3689348814741908s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\general.exe TID: 7360Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\general.exe TID: 7444Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\general.exe TID: 7324Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\general.exe TID: 3380Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\general.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\general.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Local\Temp\general.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Local\Temp\general.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Local\Temp\general.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\Desktop\general2.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 599890Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 599781Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 599671Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 599562Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 599453Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 599343Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 599233Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 599121Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 599015Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 598906Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 598796Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 598687Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 598578Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 598468Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 598359Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 598249Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 598139Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 598030Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 597921Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 597762Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 597645Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 597500Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 597365Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 597234Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 597124Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 597015Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 596906Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 596796Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 596676Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 596546Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 596437Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 596325Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 596218Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 596109Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 595999Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 595890Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeThread delayed: delay time: 595781Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\general.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\general.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\general.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\general.exeThread delayed: delay time: 922337203685477
                      Source: Amcache.hve.29.drBinary or memory string: VMware
                      Source: Amcache.hve.29.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.29.drBinary or memory string: vmci.syshbin
                      Source: Amcache.hve.29.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.29.drBinary or memory string: VMware20,1hbin@
                      Source: Amcache.hve.29.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                      Source: Amcache.hve.29.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: Amcache.hve.29.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                      Source: svchost.exe, 00000007.00000002.2473306651.0000020AB2A53000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2471865621.0000020AAD42B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2473245219.0000020AB2A42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.29.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: Amcache.hve.29.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                      Source: Amcache.hve.29.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.29.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: general.exe, 00000001.00000002.2456960545.000000001B476000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: Amcache.hve.29.drBinary or memory string: vmci.sys
                      Source: Amcache.hve.29.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                      Source: Amcache.hve.29.drBinary or memory string: vmci.syshbin`
                      Source: general.exe.0.drBinary or memory string: vmware
                      Source: Amcache.hve.29.drBinary or memory string: \driver\vmci,\driver\pci
                      Source: Amcache.hve.29.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: Amcache.hve.29.drBinary or memory string: VMware20,1
                      Source: Amcache.hve.29.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.29.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.29.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.29.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.29.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.29.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                      Source: Amcache.hve.29.drBinary or memory string: VMware PCI VMCI Bus Device
                      Source: general2.exe, 00000000.00000002.1171833421.000000000115D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
                      Source: Amcache.hve.29.drBinary or memory string: VMware VMCI Bus Device
                      Source: Amcache.hve.29.drBinary or memory string: VMware Virtual RAM
                      Source: Amcache.hve.29.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: Amcache.hve.29.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Users\user\AppData\Roaming\general.exeCode function: 1_2_00007FFC3DA75F3B CheckRemoteDebuggerPresent,1_2_00007FFC3DA75F3B
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\general.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\general2.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\general.exe'
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\general.exe'
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\general.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\general.exe'Jump to behavior
                      Bypasses PowerShell execution policy
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\general.exe'
                      Source: C:\Users\user\Desktop\general2.exeProcess created: C:\Users\user\AppData\Roaming\general.exe "C:\Users\user\AppData\Roaming\general.exe" Jump to behavior
                      Source: C:\Users\user\Desktop\general2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\general.bat" "Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\general.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'general.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\general.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "general" /tr "C:\Users\user\AppData\Local\Temp\general.exe"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                      Source: C:\Users\user\Desktop\general2.exeQueries volume information: C:\Users\user\Desktop\general2.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeQueries volume information: C:\Users\user\AppData\Roaming\general.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\general.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\general.exeQueries volume information: C:\Users\user\AppData\Local\Temp\general.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\general.exeQueries volume information: C:\Users\user\AppData\Local\Temp\general.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\general.exeQueries volume information: C:\Users\user\AppData\Local\Temp\general.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\general.exeQueries volume information: C:\Users\user\AppData\Local\Temp\general.exe VolumeInformation
                      Source: C:\Users\user\Desktop\general2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: Amcache.hve.29.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                      Source: Amcache.hve.29.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.29.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: general.exe, 00000001.00000002.2456960545.000000001B4BF000.00000004.00000020.00020000.00000000.sdmp, general.exe, 00000001.00000002.2456960545.000000001B476000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: Amcache.hve.29.drBinary or memory string: MsMpEng.exe
                      Source: C:\Users\user\AppData\Roaming\general.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\general.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\general.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 1.0.general.exe.290000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.general2.exe.3061820.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.general2.exe.3073c60.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.general2.exe.3073c60.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.general2.exe.3061820.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000000.1169504558.0000000000292000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1172318307.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: general2.exe PID: 7600, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: general.exe PID: 7652, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\general.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\general.exe, type: DROPPED
                      Yara detected XWorm
                      Source: Yara matchFile source: 1.0.general.exe.290000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.general2.exe.3061820.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.general2.exe.3073c60.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.general2.exe.3073c60.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.general2.exe.3061820.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000000.1169504558.0000000000292000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1172318307.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.2414573843.0000000002531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: general2.exe PID: 7600, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: general.exe PID: 7652, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\general.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\general.exe, type: DROPPED

                      Remote Access Functionality

                      barindex
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 1.0.general.exe.290000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.general2.exe.3061820.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.general2.exe.3073c60.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.general2.exe.3073c60.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.general2.exe.3061820.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000000.1169504558.0000000000292000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1172318307.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: general2.exe PID: 7600, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: general.exe PID: 7652, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\general.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\general.exe, type: DROPPED
                      Yara detected XWorm
                      Source: Yara matchFile source: 1.0.general.exe.290000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.general2.exe.3061820.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.general2.exe.3073c60.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.general2.exe.3073c60.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.general2.exe.3061820.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000000.1169504558.0000000000292000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1172318307.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.2414573843.0000000002531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: general2.exe PID: 7600, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: general.exe PID: 7652, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\general.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\general.exe, type: DROPPED

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information1
                      Scripting                      		Valid Accounts2
                      Windows Management Instrumentation                      		1
                      Scripting                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		OS Credential Dumping1
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Web Service                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job                      		1
                      DLL Side-Loading                      		11
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		LSASS Memory33
                      System Information Discovery                      		Remote Desktop Protocol1
                      Clipboard Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      PowerShell                      		1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		21
                      Obfuscated Files or Information                      		Security Account Manager351
                      Security Software Discovery                      		SMB/Windows Admin SharesData from Network Shared Drive12
                      Encrypted Channel                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCron21
                      Registry Run Keys / Startup Folder                      		21
                      Registry Run Keys / Startup Folder                      		22
                      Software Packing                      		NTDS1
                      Process Discovery                      		Distributed Component Object ModelInput Capture1
                      Non-Standard Port                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets61
                      Virtualization/Sandbox Evasion                      		SSHKeylogging2
                      Non-Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials1
                      Application Window Discovery                      		VNCGUI Input Capture13
                      Application Layer Protocol                      		Data Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items61
                      Virtualization/Sandbox Evasion                      		DCSync1
                      System Network Configuration Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                      Process Injection                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1637759 Sample: general2.exe Startdate: 13/03/2025 Architecture: WINDOWS Score: 100 54 api.telegram.org 2->54 56 team-yacht.gl.at.ply.gg 2->56 58 2 other IPs or domains 2->58 68 Suricata IDS alerts for network traffic 2->68 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 76 15 other signatures 2->76 9 general2.exe 4 2->9         started        13 general.exe 2->13         started        15 svchost.exe 1 2->15         started        18 3 other processes 2->18 signatures3 74 Uses the Telegram API (likely for C&C communication) 54->74 process4 dnsIp5 50 C:\Users\user\AppData\Roaming\general.exe, PE32 9->50 dropped 52 C:\Users\user\AppData\...\general2.exe.log, CSV 9->52 dropped 86 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->86 20 general.exe 15 8 9->20         started        25 cmd.exe 1 2 9->25         started        88 Antivirus detection for dropped file 13->88 66 127.0.0.1 unknown unknown 15->66 file6 signatures7 process8 dnsIp9 60 team-yacht.gl.at.ply.gg 147.185.221.26, 49743, 49778, 49805 SALSGIVERUS United States 20->60 62 ip-api.com 208.95.112.1, 49719, 80 TUT-ASUS United States 20->62 64 2 other IPs or domains 20->64 48 C:\Users\user\AppData\Local\...\general.exe, PE32 20->48 dropped 78 Antivirus detection for dropped file 20->78 80 Protects its processes via BreakOnTermination flag 20->80 82 Bypasses PowerShell execution policy 20->82 84 3 other signatures 20->84 27 powershell.exe 23 20->27         started        30 powershell.exe 20->30         started        32 powershell.exe 20->32         started        38 2 other processes 20->38 34 conhost.exe 25->34         started        36 chcp.com 1 25->36         started        file10 signatures11 process12 signatures13 90 Loading BitLocker PowerShell Module 27->90 40 conhost.exe 27->40         started        42 conhost.exe 30->42         started        44 conhost.exe 32->44         started        46 conhost.exe 38->46         started        process14

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.