Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
g0dvHLi4bP

Overview

General Information

Sample Name:g0dvHLi4bP (renamed file extension from none to exe)
Analysis ID:620365
MD5:4c414b473bccbbce2c7cde00248ea1a1
SHA1:77bf848d5a1d4d0fdc252aa170e7b8af19bcc012
SHA256:7bb212946fdeb406c7aa8f691405d185065514d5dc1f269f8e409762ff9f6915
Tags:32exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • g0dvHLi4bP.exe (PID: 7044 cmdline: "C:\Users\user\Desktop\g0dvHLi4bP.exe" MD5: 4C414B473BCCBBCE2C7CDE00248EA1A1)
    • powershell.exe (PID: 5868 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 5864 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyfhOEwABQlG" /XML "C:\Users\user\AppData\Local\Temp\tmpF6C5.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • g0dvHLi4bP.exe (PID: 5432 cmdline: C:\Users\user\Desktop\g0dvHLi4bP.exe MD5: 4C414B473BCCBBCE2C7CDE00248EA1A1)
  • AheGmkp.exe (PID: 6920 cmdline: "C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe" MD5: 4C414B473BCCBBCE2C7CDE00248EA1A1)
    • powershell.exe (PID: 7028 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 4952 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyfhOEwABQlG" /XML "C:\Users\user\AppData\Local\Temp\tmp972C.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • AheGmkp.exe (PID: 6104 cmdline: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe MD5: 4C414B473BCCBBCE2C7CDE00248EA1A1)
    • AheGmkp.exe (PID: 5944 cmdline: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe MD5: 4C414B473BCCBBCE2C7CDE00248EA1A1)
    • AheGmkp.exe (PID: 7068 cmdline: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe MD5: 4C414B473BCCBBCE2C7CDE00248EA1A1)
  • AheGmkp.exe (PID: 6188 cmdline: "C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe" MD5: 4C414B473BCCBBCE2C7CDE00248EA1A1)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "Az@gcmce.com", "Password": "   DANIEL3116", "Host": "us2.smtp.mailhostbox.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000018.00000000.596334236.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000018.00000000.596334236.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000018.00000000.595827903.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000018.00000000.595827903.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000002.501848453.00000000029C1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 37 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            24.0.AheGmkp.exe.400000.12.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              24.0.AheGmkp.exe.400000.12.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                24.0.AheGmkp.exe.400000.12.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x32a97:$s10: logins
                • 0x324fe:$s11: credential
                • 0x2eb12:$g1: get_Clipboard
                • 0x2eb20:$g2: get_Keyboard
                • 0x2eb2d:$g3: get_Password
                • 0x2fe0c:$g4: get_CtrlKeyDown
                • 0x2fe1c:$g5: get_ShiftKeyDown
                • 0x2fe2d:$g6: get_AltKeyDown
                0.2.g0dvHLi4bP.exe.3b7d998.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.g0dvHLi4bP.exe.3b7d998.8.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 69 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 8.0.g0dvHLi4bP.exe.400000.12.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "Az@gcmce.com", "Password": " DANIEL3116", "Host": "us2.smtp.mailhostbox.com"}
                    Multi AV Scanner detection for submitted file
                    Source: g0dvHLi4bP.exeReversingLabs: Detection: 30%
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeReversingLabs: Detection: 30%
                    Source: C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exeReversingLabs: Detection: 30%
                    Machine Learning detection for sample
                    Source: g0dvHLi4bP.exeJoe Sandbox ML: detected
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exeJoe Sandbox ML: detected
                    Source: 8.0.g0dvHLi4bP.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 24.0.AheGmkp.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 24.0.AheGmkp.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 24.0.AheGmkp.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 24.2.AheGmkp.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 8.0.g0dvHLi4bP.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 24.0.AheGmkp.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 8.0.g0dvHLi4bP.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 8.0.g0dvHLi4bP.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 8.0.g0dvHLi4bP.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 24.0.AheGmkp.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 8.2.g0dvHLi4bP.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: g0dvHLi4bP.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: g0dvHLi4bP.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: global trafficTCP traffic: 192.168.2.5:49782 -> 162.222.225.16:587
                    Source: global trafficTCP traffic: 192.168.2.5:49799 -> 162.222.225.29:587
                    Source: global trafficTCP traffic: 192.168.2.5:49782 -> 162.222.225.16:587
                    Source: global trafficTCP traffic: 192.168.2.5:49799 -> 162.222.225.29:587
                    Source: g0dvHLi4bP.exe, 00000008.00000002.704236786.0000000003021000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: AheGmkp.exe, 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: AheGmkp.exe, 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://KMYoUX.com
                    Source: g0dvHLi4bP.exe, 00000008.00000002.705876237.000000000337A000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000003.646298713.0000000001425000.00000004.00000020.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.706376253.00000000033E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: g0dvHLi4bP.exe, 00000008.00000002.705876237.000000000337A000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.710089577.0000000006A74000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000003.646298713.0000000001425000.00000004.00000020.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.706376253.00000000033E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: AheGmkp.exe, 00000018.00000003.646298713.0000000001425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.usertr
                    Source: g0dvHLi4bP.exe, 00000008.00000002.705876237.000000000337A000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000003.646298713.0000000001425000.00000004.00000020.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.706376253.00000000033E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                    Source: g0dvHLi4bP.exe, 00000000.00000003.434389436.0000000005986000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.w
                    Source: g0dvHLi4bP.exe, 00000000.00000003.433882247.00000000059A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.wikipediaN
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: g0dvHLi4bP.exe, 00000008.00000002.705876237.000000000337A000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000003.646298713.0000000001425000.00000004.00000020.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.706376253.00000000033E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: g0dvHLi4bP.exe, 00000008.00000002.705876237.000000000337A000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000003.646298713.0000000001425000.00000004.00000020.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.706376253.00000000033E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0A
                    Source: g0dvHLi4bP.exe, 00000000.00000002.501848453.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000002.502149951.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 0000000C.00000002.603631401.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 0000000C.00000002.604682206.0000000002D5C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: g0dvHLi4bP.exe, 00000008.00000002.705876237.000000000337A000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.706376253.00000000033E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: g0dvHLi4bP.exe, 00000000.00000003.447425136.0000000005988000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.446963602.0000000005987000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000002.507431111.0000000005980000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.492845361.0000000005980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: g0dvHLi4bP.exe, 00000000.00000003.458208870.000000000598A000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000002.507431111.0000000005980000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.492845361.0000000005980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com5
                    Source: g0dvHLi4bP.exe, 00000000.00000003.446963602.0000000005987000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
                    Source: g0dvHLi4bP.exe, 00000000.00000003.447425136.0000000005988000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.446963602.0000000005987000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comTTF
                    Source: g0dvHLi4bP.exe, 00000000.00000003.447425136.0000000005988000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.458208870.000000000598A000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.446963602.0000000005987000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
                    Source: g0dvHLi4bP.exe, 00000000.00000003.447425136.0000000005988000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.446963602.0000000005987000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalic
                    Source: g0dvHLi4bP.exe, 00000000.00000003.458208870.000000000598A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.come.com
                    Source: g0dvHLi4bP.exe, 00000000.00000003.458208870.000000000598A000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000002.507431111.0000000005980000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.492845361.0000000005980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgrito
                    Source: g0dvHLi4bP.exe, 00000000.00000003.447425136.0000000005988000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.446963602.0000000005987000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comlicF
                    Source: g0dvHLi4bP.exe, 00000000.00000003.447425136.0000000005988000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.446963602.0000000005987000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comt
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.437408108.0000000005987000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436963733.0000000005987000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.437207014.0000000005988000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: g0dvHLi4bP.exe, 00000000.00000003.437408108.0000000005987000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn;
                    Source: g0dvHLi4bP.exe, 00000000.00000003.437207014.0000000005988000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnese
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: g0dvHLi4bP.exe, 00000000.00000003.440096725.000000000598B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: g0dvHLi4bP.exe, 00000000.00000003.440198384.000000000598B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.440096725.000000000598B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/:
                    Source: g0dvHLi4bP.exe, 00000000.00000003.440198384.000000000598B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.440096725.000000000598B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0r
                    Source: g0dvHLi4bP.exe, 00000000.00000003.440198384.000000000598B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.440096725.000000000598B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/_
                    Source: g0dvHLi4bP.exe, 00000000.00000003.440096725.000000000598B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: g0dvHLi4bP.exe, 00000000.00000003.440198384.000000000598B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.440096725.000000000598B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/V
                    Source: g0dvHLi4bP.exe, 00000000.00000003.440198384.000000000598B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.440096725.000000000598B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/d
                    Source: g0dvHLi4bP.exe, 00000000.00000003.434322634.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435735907.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434263544.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436481267.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434449814.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435975473.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438134623.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436182054.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435045732.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434508936.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435924012.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435216005.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.439477892.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436845818.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438504418.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434538231.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436004358.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438993924.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434891771.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434977488.000000000599B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: g0dvHLi4bP.exe, 00000000.00000003.434322634.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435735907.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434263544.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436481267.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434449814.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435975473.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438134623.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436182054.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435045732.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434508936.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435924012.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435216005.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.439477892.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436845818.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438504418.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434538231.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436004358.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438993924.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434891771.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434977488.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434167177.000000000599B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.come
                    Source: g0dvHLi4bP.exe, 00000000.00000003.434322634.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435735907.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434263544.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436481267.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434449814.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435975473.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438134623.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436182054.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435045732.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434508936.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435924012.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435216005.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.439477892.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436845818.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438504418.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434538231.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436004358.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438993924.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434891771.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434977488.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.439167968.000000000599B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comivd
                    Source: g0dvHLi4bP.exe, 00000000.00000003.434322634.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435735907.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434263544.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436481267.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434449814.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435975473.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438134623.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436182054.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435045732.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434508936.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435924012.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435216005.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.439477892.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436845818.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438504418.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434538231.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436004358.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438993924.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434891771.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434977488.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.439167968.000000000599B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comk-s
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: AheGmkp.exe, 00000018.00000002.706330970.00000000033DC000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.706504468.0000000003412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://Iq79XHPURIYANir.org
                    Source: g0dvHLi4bP.exe, 00000008.00000002.704236786.0000000003021000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                    Source: AheGmkp.exe, 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%appdata
                    Source: g0dvHLi4bP.exe, 00000008.00000002.705876237.000000000337A000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000003.646298713.0000000001425000.00000004.00000020.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.706376253.00000000033E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: g0dvHLi4bP.exe, 00000008.00000002.704236786.0000000003021000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 24.0.AheGmkp.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.g0dvHLi4bP.exe.3b7d998.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 24.0.AheGmkp.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 24.0.AheGmkp.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 24.2.AheGmkp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 12.2.AheGmkp.exe.3d4d998.7.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 12.2.AheGmkp.exe.3d19378.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 8.0.g0dvHLi4bP.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 24.0.AheGmkp.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 8.0.g0dvHLi4bP.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 8.0.g0dvHLi4bP.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.g0dvHLi4bP.exe.3b49378.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 12.2.AheGmkp.exe.3d4d998.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 12.2.AheGmkp.exe.3d4d998.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.g0dvHLi4bP.exe.3b7d998.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.g0dvHLi4bP.exe.3b7d998.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 8.0.g0dvHLi4bP.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 8.0.g0dvHLi4bP.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 24.0.AheGmkp.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.g0dvHLi4bP.exe.3b49378.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.g0dvHLi4bP.exe.3b49378.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 8.2.g0dvHLi4bP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 12.2.AheGmkp.exe.3ce2f58.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 12.2.AheGmkp.exe.3ce2f58.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.g0dvHLi4bP.exe.3b12f58.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.g0dvHLi4bP.exe.3b12f58.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 12.2.AheGmkp.exe.3d19378.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 12.2.AheGmkp.exe.3d19378.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 15.2.AheGmkp.exe.32428cc.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 8.0.g0dvHLi4bP.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007bDA35114Eu002d5E6Au002d4ED1u002dA357u002d2182AE57DC38u007d/u003400062A7u002dB85Fu002d4985u002d86CAu002dD71D3FFC1C98.csLarge array initialization: .cctor: array initializer size 11591
                    Source: 8.0.g0dvHLi4bP.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007bDA35114Eu002d5E6Au002d4ED1u002dA357u002d2182AE57DC38u007d/u003400062A7u002dB85Fu002d4985u002d86CAu002dD71D3FFC1C98.csLarge array initialization: .cctor: array initializer size 11591
                    Source: 8.0.g0dvHLi4bP.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bDA35114Eu002d5E6Au002d4ED1u002dA357u002d2182AE57DC38u007d/u003400062A7u002dB85Fu002d4985u002d86CAu002dD71D3FFC1C98.csLarge array initialization: .cctor: array initializer size 11591
                    Source: 8.0.g0dvHLi4bP.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007bDA35114Eu002d5E6Au002d4ED1u002dA357u002d2182AE57DC38u007d/u003400062A7u002dB85Fu002d4985u002d86CAu002dD71D3FFC1C98.csLarge array initialization: .cctor: array initializer size 11591
                    Source: 8.0.g0dvHLi4bP.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007bDA35114Eu002d5E6Au002d4ED1u002dA357u002d2182AE57DC38u007d/u003400062A7u002dB85Fu002d4985u002d86CAu002dD71D3FFC1C98.csLarge array initialization: .cctor: array initializer size 11591
                    Source: 8.2.g0dvHLi4bP.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bDA35114Eu002d5E6Au002d4ED1u002dA357u002d2182AE57DC38u007d/u003400062A7u002dB85Fu002d4985u002d86CAu002dD71D3FFC1C98.csLarge array initialization: .cctor: array initializer size 11591
                    Source: g0dvHLi4bP.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 24.0.AheGmkp.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.g0dvHLi4bP.exe.3b7d998.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 24.0.AheGmkp.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 24.0.AheGmkp.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 24.2.AheGmkp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 12.2.AheGmkp.exe.3d4d998.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 12.2.AheGmkp.exe.3d19378.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 8.0.g0dvHLi4bP.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 24.0.AheGmkp.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 8.0.g0dvHLi4bP.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 8.0.g0dvHLi4bP.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.g0dvHLi4bP.exe.3b49378.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 12.2.AheGmkp.exe.3d4d998.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 12.2.AheGmkp.exe.3d4d998.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.g0dvHLi4bP.exe.3b7d998.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.g0dvHLi4bP.exe.3b7d998.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 8.0.g0dvHLi4bP.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 8.0.g0dvHLi4bP.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 24.0.AheGmkp.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.g0dvHLi4bP.exe.3b49378.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.g0dvHLi4bP.exe.3b49378.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 8.2.g0dvHLi4bP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 12.2.AheGmkp.exe.3ce2f58.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 12.2.AheGmkp.exe.3ce2f58.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.g0dvHLi4bP.exe.3b12f58.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.g0dvHLi4bP.exe.3b12f58.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 12.2.AheGmkp.exe.3d19378.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 12.2.AheGmkp.exe.3d19378.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 15.2.AheGmkp.exe.32428cc.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 0_2_00FCC344
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 0_2_00FCE770
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 0_2_00FCE760
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 0_2_0701F788
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 8_2_0158F080
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 8_2_0158F3C8
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 8_2_01586120
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 8_2_0637BE38
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 8_2_06371FF8
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 8_2_0637CB88
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 8_2_06370040
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 8_2_067E1D40
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_00FEC344
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_00FEE770
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_00FEE760
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_05556D10
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_05556D20
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_05556FA7
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_055586F0
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_055586E0
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_05550040
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_05550006
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_05552B30
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_06E10628
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_06E15338
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_06E10040
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_06E15E10
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_06E1ACE8
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_06E1532A
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_06E14CE7
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_06E14CF8
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_06E1ACD8
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_06E1A8C0
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_06E1A8B0
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 12_2_05556FB8
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 15_2_0157C344
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 15_2_0157E770
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 15_2_0157E760
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 15_2_07640040
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeCode function: 15_2_07640006
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: String function: 06375A58 appears 54 times
                    Source: g0dvHLi4bP.exe, 00000000.00000002.501848453.00000000029C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWMEDMOaagJLPDneJpcUggQefG.exe4 vs g0dvHLi4bP.exe
                    Source: g0dvHLi4bP.exe, 00000000.00000000.429966155.00000000006A6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePolicyExcept.exe4 vs g0dvHLi4bP.exe
                    Source: g0dvHLi4bP.exe, 00000000.00000002.509064718.0000000007290000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs g0dvHLi4bP.exe
                    Source: g0dvHLi4bP.exe, 00000000.00000002.504524116.0000000003B12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWMEDMOaagJLPDneJpcUggQefG.exe4 vs g0dvHLi4bP.exe
                    Source: g0dvHLi4bP.exe, 00000000.00000002.504524116.0000000003B12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs g0dvHLi4bP.exe
                    Source: g0dvHLi4bP.exe, 00000000.00000002.508641286.0000000006FF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamePoolWait.dll" vs g0dvHLi4bP.exe
                    Source: g0dvHLi4bP.exe, 00000008.00000000.487866911.0000000000C56000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePolicyExcept.exe4 vs g0dvHLi4bP.exe
                    Source: g0dvHLi4bP.exe, 00000008.00000000.488270274.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWMEDMOaagJLPDneJpcUggQefG.exe4 vs g0dvHLi4bP.exe
                    Source: g0dvHLi4bP.exe, 00000008.00000002.697117063.0000000000DE9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs g0dvHLi4bP.exe
                    Source: g0dvHLi4bP.exeBinary or memory string: OriginalFilenamePolicyExcept.exe4 vs g0dvHLi4bP.exe
                    Source: g0dvHLi4bP.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: lyfhOEwABQlG.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: AheGmkp.exe.8.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: g0dvHLi4bP.exeReversingLabs: Detection: 30%
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeFile read: C:\Users\user\Desktop\g0dvHLi4bP.exeJump to behavior
                    Source: g0dvHLi4bP.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Users\user\Desktop\g0dvHLi4bP.exe "C:\Users\user\Desktop\g0dvHLi4bP.exe"
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyfhOEwABQlG" /XML "C:\Users\user\AppData\Local\Temp\tmpF6C5.tmp
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess created: C:\Users\user\Desktop\g0dvHLi4bP.exe C:\Users\user\Desktop\g0dvHLi4bP.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe "C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe "C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe"
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyfhOEwABQlG" /XML "C:\Users\user\AppData\Local\Temp\tmp972C.tmp
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyfhOEwABQlG" /XML "C:\Users\user\AppData\Local\Temp\tmpF6C5.tmp
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess created: C:\Users\user\Desktop\g0dvHLi4bP.exe C:\Users\user\Desktop\g0dvHLi4bP.exe
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyfhOEwABQlG" /XML "C:\Users\user\AppData\Local\Temp\tmp972C.tmp
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeFile created: C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exeJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeFile created: C:\Users\user\AppData\Local\Temp\tmpF6C5.tmpJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/15@2/3
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6684:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6388:120:WilError_01
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeMutant created: \Sessions\1\BaseNamedObjects\btLgVXXoNVGzXvelqauFUkXSa
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5324:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3064:120:WilError_01
                    Source: 8.0.g0dvHLi4bP.exe.400000.12.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 8.0.g0dvHLi4bP.exe.400000.12.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 8.0.g0dvHLi4bP.exe.400000.6.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 8.0.g0dvHLi4bP.exe.400000.6.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 8.0.g0dvHLi4bP.exe.400000.4.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 8.0.g0dvHLi4bP.exe.400000.4.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: g0dvHLi4bP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: g0dvHLi4bP.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: g0dvHLi4bP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: g0dvHLi4bP.exe, loginForm.cs.Net Code: ___________________________________________________ System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: lyfhOEwABQlG.exe.0.dr, loginForm.cs.Net Code: ___________________________________________________ System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: AheGmkp.exe.8.dr, loginForm.cs.Net Code: ___________________________________________________ System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: g0dvHLi4bP.exe, loginForm.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "54657874526561", "31567373", "Client" } }, null, null)
                    Source: lyfhOEwABQlG.exe.0.dr, loginForm.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "54657874526561", "31567373", "Client" } }, null, null)
                    Source: AheGmkp.exe.8.dr, loginForm.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "54657874526561", "31567373", "Client" } }, null, null)
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 8_2_0637BD83 push es; ret
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 8_2_06373139 push es; iretd
                    Source: g0dvHLi4bP.exeStatic PE information: 0xD8BB75AE [Fri Mar 23 05:33:34 2085 UTC]
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.97222784974
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.97222784974
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.97222784974
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeFile created: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeJump to dropped file
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeFile created: C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyfhOEwABQlG" /XML "C:\Users\user\AppData\Local\Temp\tmpF6C5.tmp
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AheGmkpJump to behavior
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AheGmkpJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeFile opened: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe:Zone.Identifier read attributes | delete
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: 15.2.AheGmkp.exe.32428cc.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.501848453.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.594985042.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.502149951.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.603631401.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.604682206.0000000002D5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: g0dvHLi4bP.exe PID: 7044, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AheGmkp.exe PID: 6920, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AheGmkp.exe PID: 6188, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: g0dvHLi4bP.exe, 00000000.00000002.501848453.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000002.502149951.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 0000000C.00000002.603631401.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 0000000C.00000002.604682206.0000000002D5C000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 0000000F.00000002.594985042.00000000031F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: g0dvHLi4bP.exe, 00000000.00000002.501848453.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000002.502149951.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 0000000C.00000002.603631401.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 0000000C.00000002.604682206.0000000002D5C000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 0000000F.00000002.594985042.00000000031F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exe TID: 7048Thread sleep time: -45733s >= -30000s
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exe TID: 7080Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exe TID: 6344Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4968Thread sleep time: -6456360425798339s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6404Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exe TID: 7024Thread sleep time: -23058430092136925s >= -30000s
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exe TID: 1500Thread sleep count: 5232 > 30
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exe TID: 1500Thread sleep count: 3710 > 30
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe TID: 6924Thread sleep time: -45733s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe TID: 5556Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe TID: 6160Thread sleep time: -45733s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe TID: 3976Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4612Thread sleep time: -10145709240540247s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4912Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe TID: 3448Thread sleep time: -21213755684765971s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe TID: 4468Thread sleep count: 6053 > 30
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe TID: 4468Thread sleep count: 2689 > 30
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5926
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 496
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeWindow / User API: threadDelayed 5232
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeWindow / User API: threadDelayed 3710
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3847
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeWindow / User API: threadDelayed 6053
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeWindow / User API: threadDelayed 2689
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeThread delayed: delay time: 45733
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeThread delayed: delay time: 45733
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeThread delayed: delay time: 45733
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeThread delayed: delay time: 922337203685477
                    Source: AheGmkp.exe, 0000000F.00000002.594985042.00000000031F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: AheGmkp.exe, 0000000F.00000002.594985042.00000000031F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: g0dvHLi4bP.exe, 00000000.00000002.510129659.00000000075EE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53
                    Source: AheGmkp.exe, 0000000F.00000002.594985042.00000000031F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: AheGmkp.exe, 00000018.00000003.646298713.0000000001425000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: AheGmkp.exe, 0000000F.00000002.594985042.00000000031F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeMemory written: C:\Users\user\Desktop\g0dvHLi4bP.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeMemory written: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe base: 400000 value starts with: 4D5A
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyfhOEwABQlG" /XML "C:\Users\user\AppData\Local\Temp\tmpF6C5.tmp
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeProcess created: C:\Users\user\Desktop\g0dvHLi4bP.exe C:\Users\user\Desktop\g0dvHLi4bP.exe
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyfhOEwABQlG" /XML "C:\Users\user\AppData\Local\Temp\tmp972C.tmp
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeProcess created: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Users\user\Desktop\g0dvHLi4bP.exe VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Users\user\Desktop\g0dvHLi4bP.exe VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeCode function: 8_2_06374EBC GetUserNameW,

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 24.0.AheGmkp.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g0dvHLi4bP.exe.3b7d998.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 24.0.AheGmkp.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 24.0.AheGmkp.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 24.2.AheGmkp.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.AheGmkp.exe.3d4d998.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.AheGmkp.exe.3d19378.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.g0dvHLi4bP.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 24.0.AheGmkp.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.g0dvHLi4bP.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.g0dvHLi4bP.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g0dvHLi4bP.exe.3b49378.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.AheGmkp.exe.3d4d998.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g0dvHLi4bP.exe.3b7d998.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.g0dvHLi4bP.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.g0dvHLi4bP.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 24.0.AheGmkp.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g0dvHLi4bP.exe.3b49378.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.g0dvHLi4bP.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.AheGmkp.exe.3ce2f58.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g0dvHLi4bP.exe.3b12f58.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.AheGmkp.exe.3d19378.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000018.00000000.596334236.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000000.595827903.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000000.596964511.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.487111726.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.488270274.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.487666234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.489038629.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000002.696078477.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.606786408.0000000003CE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.504524116.0000000003B12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000000.595144687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.696067771.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.704236786.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: g0dvHLi4bP.exe PID: 7044, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: g0dvHLi4bP.exe PID: 5432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AheGmkp.exe PID: 6920, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AheGmkp.exe PID: 7068, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\g0dvHLi4bP.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: Yara matchFile source: 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.704236786.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: g0dvHLi4bP.exe PID: 5432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AheGmkp.exe PID: 7068, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 24.0.AheGmkp.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g0dvHLi4bP.exe.3b7d998.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 24.0.AheGmkp.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 24.0.AheGmkp.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 24.2.AheGmkp.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.AheGmkp.exe.3d4d998.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.AheGmkp.exe.3d19378.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.g0dvHLi4bP.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 24.0.AheGmkp.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.g0dvHLi4bP.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.g0dvHLi4bP.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g0dvHLi4bP.exe.3b49378.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.AheGmkp.exe.3d4d998.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g0dvHLi4bP.exe.3b7d998.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.g0dvHLi4bP.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.g0dvHLi4bP.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 24.0.AheGmkp.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g0dvHLi4bP.exe.3b49378.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.g0dvHLi4bP.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.AheGmkp.exe.3ce2f58.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g0dvHLi4bP.exe.3b12f58.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.AheGmkp.exe.3d19378.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000018.00000000.596334236.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000000.595827903.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000000.596964511.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.487111726.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.488270274.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.487666234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.489038629.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000002.696078477.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.606786408.0000000003CE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.504524116.0000000003B12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000000.595144687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.696067771.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.704236786.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: g0dvHLi4bP.exe PID: 7044, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: g0dvHLi4bP.exe PID: 5432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AheGmkp.exe PID: 6920, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AheGmkp.exe PID: 7068, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    Account Discovery                    		Remote Services11
                    Archive Collected Data                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts1
                    Scheduled Task/Job                    		1
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		11
                    Deobfuscate/Decode Files or Information                    		1
                    Credentials in Registry                    		1
                    File and Directory Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		Exfiltration Over Bluetooth1
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)1
                    Registry Run Keys / Startup Folder                    		3
                    Obfuscated Files or Information                    		Security Account Manager114
                    System Information Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		Automated Exfiltration1
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)23
                    Software Packing                    		NTDS1
                    Query Registry                    		Distributed Component Object ModelInput CaptureScheduled Transfer11
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets311
                    Security Software Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    Masquerading                    		Cached Domain Credentials1
                    Process Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items131
                    Virtualization/Sandbox Evasion                    		DCSync131
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job111
                    Process Injection                    		Proc Filesystem1
                    Application Window Discovery                    		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                    Hidden Files and Directories                    		/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
                    Remote System Discovery                    		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 620365 Sample: g0dvHLi4bP Startdate: 04/05/2022 Architecture: WINDOWS Score: 100 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for dropped file 2->72 74 9 other signatures 2->74 7 g0dvHLi4bP.exe 7 2->7         started        11 AheGmkp.exe 4 2->11         started        13 AheGmkp.exe 2->13         started        process3 file4 44 C:\Users\user\AppData\...\lyfhOEwABQlG.exe, PE32 7->44 dropped 46 C:\Users\...\lyfhOEwABQlG.exe:Zone.Identifier, ASCII 7->46 dropped 48 C:\Users\user\AppData\Local\...\tmpF6C5.tmp, XML 7->48 dropped 50 C:\Users\user\AppData\...\g0dvHLi4bP.exe.log, ASCII 7->50 dropped 76 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->76 78 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->78 80 Uses schtasks.exe or at.exe to add and modify task schedules 7->80 82 Injects a PE file into a foreign processes 7->82 15 g0dvHLi4bP.exe 2 5 7->15         started        20 powershell.exe 25 7->20         started        22 schtasks.exe 1 7->22         started        84 Multi AV Scanner detection for dropped file 11->84 86 Machine Learning detection for dropped file 11->86 88 Adds a directory exclusion to Windows Defender 11->88 24 AheGmkp.exe 11->24         started        26 powershell.exe 11->26         started        28 schtasks.exe 11->28         started        30 2 other processes 11->30 signatures5 process6 dnsIp7 52 us2.smtp.mailhostbox.com 162.222.225.16, 49782, 587 PUBLIC-DOMAIN-REGISTRYUS United States 15->52 54 192.168.2.1 unknown unknown 15->54 40 C:\Users\user\AppData\Roaming\...\AheGmkp.exe, PE32 15->40 dropped 42 C:\Users\user\...\AheGmkp.exe:Zone.Identifier, ASCII 15->42 dropped 58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->58 60 Tries to steal Mail credentials (via file / registry access) 15->60 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->62 32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        56 162.222.225.29, 49799, 587 PUBLIC-DOMAIN-REGISTRYUS United States 24->56 64 Tries to harvest and steal ftp login credentials 24->64 66 Tries to harvest and steal browser information (history, passwords, etc) 24->66 36 conhost.exe 26->36         started        38 conhost.exe 28->38         started        file8 signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    g0dvHLi4bP.exe31%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    g0dvHLi4bP.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe31%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe31%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    8.0.g0dvHLi4bP.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    24.0.AheGmkp.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    24.0.AheGmkp.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    24.0.AheGmkp.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    24.2.AheGmkp.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    8.0.g0dvHLi4bP.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    24.0.AheGmkp.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    8.0.g0dvHLi4bP.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    8.0.g0dvHLi4bP.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    8.0.g0dvHLi4bP.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    24.0.AheGmkp.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    8.2.g0dvHLi4bP.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://Iq79XHPURIYANir.org0%Avira URL Cloudsafe
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://crl.usertr0%Avira URL Cloudsafe
                    http://www.sajatypeworks.comivd0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cnese0%Avira URL Cloudsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.founder.com.cn/cn;0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/Y0r0%Avira URL Cloudsafe
                    http://www.fontbureau.comTTF0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/:0%URL Reputationsafe
                    http://en.wikipediaN0%Avira URL Cloudsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/jp/d0%URL Reputationsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.fontbureau.comgrito0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.fontbureau.com50%Avira URL Cloudsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/jp/V0%URL Reputationsafe
                    http://www.sajatypeworks.come0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    https://api.ipify.org%0%URL Reputationsafe
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                    http://www.fontbureau.comlicF0%URL Reputationsafe
                    http://www.sajatypeworks.comk-s0%Avira URL Cloudsafe
                    http://www.fontbureau.comF0%URL Reputationsafe
                    https://sectigo.com/CPS00%URL Reputationsafe
                    https://api.ipify.org%appdata0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                    http://www.fontbureau.coma0%URL Reputationsafe
                    http://www.fontbureau.come.com0%URL Reputationsafe
                    http://en.w0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://KMYoUX.com0%Avira URL Cloudsafe
                    http://www.fontbureau.comt0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://ocsp.sectigo.com0A0%URL Reputationsafe
                    http://www.fontbureau.comalic0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/_0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    us2.smtp.mailhostbox.com
                    		162.222.225.16
                    		truefalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://Iq79XHPURIYANir.orgAheGmkp.exe, 00000018.00000002.706330970.00000000033DC000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.706504468.0000000003412000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://127.0.0.1:HTTP/1.1g0dvHLi4bP.exe, 00000008.00000002.704236786.0000000003021000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.fontbureau.com/designersGg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/?g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bTheg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://us2.smtp.mailhostbox.comg0dvHLi4bP.exe, 00000008.00000002.705876237.000000000337A000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.706376253.00000000033E6000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers?g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://crl.usertrAheGmkp.exe, 00000018.00000003.646298713.0000000001425000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.sajatypeworks.comivdg0dvHLi4bP.exe, 00000000.00000003.434322634.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435735907.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434263544.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436481267.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434449814.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435975473.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438134623.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436182054.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435045732.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434508936.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435924012.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435216005.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.439477892.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436845818.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438504418.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434538231.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436004358.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438993924.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434891771.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434977488.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.439167968.000000000599B000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.founder.com.cn/cneseg0dvHLi4bP.exe, 00000000.00000003.437207014.0000000005988000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tiro.comg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cn;g0dvHLi4bP.exe, 00000000.00000003.437408108.0000000005987000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000002.507431111.0000000005980000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.492845361.0000000005980000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/Y0rg0dvHLi4bP.exe, 00000000.00000003.440198384.000000000598B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.440096725.000000000598B000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.comTTFg0dvHLi4bP.exe, 00000000.00000003.447425136.0000000005988000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.446963602.0000000005987000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.goodfont.co.krg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comg0dvHLi4bP.exe, 00000000.00000003.434322634.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435735907.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434263544.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436481267.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434449814.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435975473.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438134623.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436182054.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435045732.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434508936.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435924012.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435216005.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.439477892.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436845818.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438504418.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434538231.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436004358.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438993924.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434891771.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434977488.000000000599B000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/cTheg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/:g0dvHLi4bP.exe, 00000000.00000003.440198384.000000000598B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.440096725.000000000598B000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://en.wikipediaNg0dvHLi4bP.exe, 00000000.00000003.433882247.00000000059A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/jp/dg0dvHLi4bP.exe, 00000000.00000003.440198384.000000000598B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.440096725.000000000598B000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://DynDns.comDynDNSnamejidpasswordPsi/PsiAheGmkp.exe, 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleaseg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comgritog0dvHLi4bP.exe, 00000000.00000003.458208870.000000000598A000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000002.507431111.0000000005980000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.492845361.0000000005980000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fonts.comg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.sandoll.co.krg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com5g0dvHLi4bP.exe, 00000000.00000003.458208870.000000000598A000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000002.507431111.0000000005980000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.492845361.0000000005980000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.urwpp.deDPleaseg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.zhongyicts.com.cng0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/Vg0dvHLi4bP.exe, 00000000.00000003.440198384.000000000598B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.440096725.000000000598B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameg0dvHLi4bP.exe, 00000000.00000002.501848453.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000002.502149951.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 0000000C.00000002.603631401.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 0000000C.00000002.604682206.0000000002D5C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sajatypeworks.comeg0dvHLi4bP.exe, 00000000.00000003.434322634.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435735907.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434263544.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436481267.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434449814.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435975473.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438134623.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436182054.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435045732.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434508936.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435924012.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435216005.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.439477892.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436845818.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438504418.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434538231.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436004358.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438993924.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434891771.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434977488.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434167177.000000000599B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sakkal.comg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://api.ipify.org%g0dvHLi4bP.exe, 00000008.00000002.704236786.0000000003021000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		low
                                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#g0dvHLi4bP.exe, 00000008.00000002.705876237.000000000337A000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000003.646298713.0000000001425000.00000004.00000020.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.706376253.00000000033E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.comlicFg0dvHLi4bP.exe, 00000000.00000003.447425136.0000000005988000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.446963602.0000000005987000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sajatypeworks.comk-sg0dvHLi4bP.exe, 00000000.00000003.434322634.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435735907.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434263544.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436481267.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434449814.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435975473.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438134623.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436182054.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435045732.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434508936.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435924012.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.435216005.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.439477892.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436845818.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438504418.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434538231.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436004358.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.438993924.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434891771.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.434977488.000000000599B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.439167968.000000000599B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.apache.org/licenses/LICENSE-2.0g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.fontbureau.comg0dvHLi4bP.exe, 00000000.00000003.447425136.0000000005988000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.446963602.0000000005987000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.comFg0dvHLi4bP.exe, 00000000.00000003.446963602.0000000005987000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://sectigo.com/CPS0g0dvHLi4bP.exe, 00000008.00000002.705876237.000000000337A000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000003.646298713.0000000001425000.00000004.00000020.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.706376253.00000000033E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://api.ipify.org%appdataAheGmkp.exe, 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		low
                                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwg0dvHLi4bP.exe, 00000008.00000002.704236786.0000000003021000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/jp/g0dvHLi4bP.exe, 00000000.00000003.440096725.000000000598B000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.comag0dvHLi4bP.exe, 00000000.00000003.447425136.0000000005988000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.458208870.000000000598A000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.446963602.0000000005987000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.come.comg0dvHLi4bP.exe, 00000000.00000003.458208870.000000000598A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://en.wg0dvHLi4bP.exe, 00000000.00000003.434389436.0000000005986000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comlg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlNg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cng0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.437408108.0000000005987000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.436963733.0000000005987000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.437207014.0000000005988000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/frere-jones.htmlg0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://KMYoUX.comAheGmkp.exe, 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fontbureau.comtg0dvHLi4bP.exe, 00000000.00000003.447425136.0000000005988000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.446963602.0000000005987000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/g0dvHLi4bP.exe, 00000000.00000003.440096725.000000000598B000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers8g0dvHLi4bP.exe, 00000000.00000002.507828493.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://ocsp.sectigo.com0Ag0dvHLi4bP.exe, 00000008.00000002.705876237.000000000337A000.00000004.00000800.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000003.646298713.0000000001425000.00000004.00000020.00020000.00000000.sdmp, AheGmkp.exe, 00000018.00000002.706376253.00000000033E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comalicg0dvHLi4bP.exe, 00000000.00000003.447425136.0000000005988000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.446963602.0000000005987000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/_g0dvHLi4bP.exe, 00000000.00000003.440198384.000000000598B000.00000004.00000800.00020000.00000000.sdmp, g0dvHLi4bP.exe, 00000000.00000003.440096725.000000000598B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              162.222.225.29
                                              		unknownUnited States
                                              		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                                              162.222.225.16
                                              		us2.smtp.mailhostbox.comUnited States
                                              		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                                              Private

                                              IP
                                              192.168.2.1

                                              General Information

                                              Joe Sandbox Version:34.0.0 Boulder Opal
                                              Analysis ID:620365
                                              Start date and time: 04/05/202216:58:272022-05-04 16:58:27 +02:00
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 13m 48s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:g0dvHLi4bP (renamed file extension from none to exe)
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:29
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@23/15@2/3
                                              EGA Information:
                                              • Successful, ratio: 80%
                                              HDC Information:
                                              • Successful, ratio: 0.3% (good quality ratio 0.2%)
                                              • Quality average: 66.5%
                                              • Quality standard deviation: 39.8%
                                              HCA Information:
                                              • Successful, ratio: 99%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI

                                              Warnings

                                              • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 52.152.110.14, 52.242.101.226, 20.223.24.244
                                              • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                              • Execution Graph export aborted for target AheGmkp.exe, PID 6104 because there are no executed function
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • VT rate limit hit for: g0dvHLi4bP.exe

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              16:59:56API Interceptor551x Sleep call for process: g0dvHLi4bP.exe modified
                                              17:00:03API Interceptor54x Sleep call for process: powershell.exe modified
                                              17:00:18AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AheGmkp C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                                              17:00:26AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run AheGmkp C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                                              17:00:33API Interceptor263x Sleep call for process: AheGmkp.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASNs

                                              No context

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AheGmkp.exe.log

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.355304211458859
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                              MD5:69206D3AF7D6EFD08F4B4726998856D3
                                              SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                              SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                              SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                              Malicious:false
                                              Reputation:unknown
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\g0dvHLi4bP.exe.log

                                              Download File
                                              Process:C:\Users\user\Desktop\g0dvHLi4bP.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):1308
                                              Entropy (8bit):5.345811588615766
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4FsXE8:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHJ
                                              MD5:EA78C102145ED608EF0E407B978AF339
                                              SHA1:66C9179ED9675B9271A97AB1FC878077E09AB731
                                              SHA-256:8BF01E0C445BD07C0B4EDC7199B7E17DAF1CA55CA52D4A6EAC4EF211C2B1A73E
                                              SHA-512:8C04139A1FC3C3BDACB680EC443615A43EB18E73B5A0CFCA644CB4A5E71746B275B3E238DD1A5A205405313E457BB75F9BBB93277C67AFA5D78DCFA30E5DA02B
                                              Malicious:true
                                              Reputation:unknown
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):22136
                                              Entropy (8bit):5.597822703095696
                                              Encrypted:false
                                              SSDEEP:384:rtCDXq0+++NURn/Jvbc1S0ncjultIUMptQCvjg3hInUML+mfmAV7edMDS5ZQvnI2:Hen/F+TcCltn0K066fK6pk7+1
                                              MD5:B70ECAE7C579586D29CC3A2E7A951E8D
                                              SHA1:2E80B12AD6A3815720063BE0596D7E767BC5DC71
                                              SHA-256:D0057D879F3C464632DA27A3CF4052068A35D5CB2EC249C904850291C72E37F2
                                              SHA-512:9F8E625D2BB43EBC607F0CC460A6DC195DA0604A7A56D63788FD04BDB18EF36CCBADBB7B442F4C193FF5373FE5C40C185510101A07578DE64D6C6FE60297A278
                                              Malicious:false
                                              Reputation:unknown
                                              Preview:@...e...........W.......{.s.........n...&.\..........@..........H...............<@.^.L."My...:B..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jbaicfx1.xuw.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Reputation:unknown
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_up2wzwhf.0gz.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Reputation:unknown
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v2bqczrd.h4q.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Reputation:unknown
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wlxjtc3d.5pt.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Reputation:unknown
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\tmp972C.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                                              File Type:XML 1.0 document, ASCII text
                                              Category:dropped
                                              Size (bytes):1603
                                              Entropy (8bit):5.134080332336202
                                              Encrypted:false
                                              SSDEEP:24:2di4+S2qh/a1Kby1moqUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtjxvn:cgeCaYrFdOFzOzN33ODOiDdKrsuTdv
                                              MD5:904679853A08670AB337ACD5326AE5EC
                                              SHA1:42D1F905EA56C74288A9B79BAE92980F032E52BF
                                              SHA-256:67CA6167D39906C125752E95BACF21D6173A4FEBF2242130733391BB51124B86
                                              SHA-512:274D3DF62321515C671D9C3C2F3F20E59ABB36042A423126890C8929F0096FB0E3EA037DDA57713B0E9BAC5511D0B2F9441A09F187B7B7F678D726638AA491D5
                                              Malicious:false
                                              Reputation:unknown
                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                              C:\Users\user\AppData\Local\Temp\tmpF6C5.tmp

                                              Download File
                                              Process:C:\Users\user\Desktop\g0dvHLi4bP.exe
                                              File Type:XML 1.0 document, ASCII text
                                              Category:dropped
                                              Size (bytes):1603
                                              Entropy (8bit):5.134080332336202
                                              Encrypted:false
                                              SSDEEP:24:2di4+S2qh/a1Kby1moqUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtjxvn:cgeCaYrFdOFzOzN33ODOiDdKrsuTdv
                                              MD5:904679853A08670AB337ACD5326AE5EC
                                              SHA1:42D1F905EA56C74288A9B79BAE92980F032E52BF
                                              SHA-256:67CA6167D39906C125752E95BACF21D6173A4FEBF2242130733391BB51124B86
                                              SHA-512:274D3DF62321515C671D9C3C2F3F20E59ABB36042A423126890C8929F0096FB0E3EA037DDA57713B0E9BAC5511D0B2F9441A09F187B7B7F678D726638AA491D5
                                              Malicious:true
                                              Reputation:unknown
                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                              C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\g0dvHLi4bP.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):536064
                                              Entropy (8bit):7.963464056116047
                                              Encrypted:false
                                              SSDEEP:12288:P2L2I3WfZbHLfAFrv3fjx5u45RXKmMPA6KAzVb9Dg+qyx2H:P25I17A1vtg43KpPA6Nb98+qyx2H
                                              MD5:4C414B473BCCBBCE2C7CDE00248EA1A1
                                              SHA1:77BF848D5A1D4D0FDC252AA170E7B8AF19BCC012
                                              SHA-256:7BB212946FDEB406C7AA8F691405D185065514D5DC1F269F8E409762FF9F6915
                                              SHA-512:0FA66C53045E9E74D294420D66DEADCAD7EE56D13E33DD90E73B0DE1E6958CD3B5C347E13E85797895BBAC5F23B3CC3926D6B9A75F242EF2379D93230C7B0F9B
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 31%
                                              Reputation:unknown
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....u................0.."..........Z@... ...`....@.. ....................................@..................................@..O....`..<............................?............................................... ............... ..H............text...` ... ...".................. ..`.rsrc...<....`.......$..............@..@.reloc...............,..............@..B................<@......H.......<H...0...........x.. ............................................0............}.....(.......(.....~....t2.....3...%.r...p.%.~.....%.r...p.%.~.....%.r...p.%.~.....%.r...p.(....o.......r...p......%.......%.r)..p.%.rG..p.%.rY..p....(.....*...{....rg..p%.-...o..... .........*.0.............{....o.....0...(.........,..r{..p(....&....r...p..r...p(......,..r...p(....&.v.r...p(........,..r...p(....&s........o......H.(....&...9...%..:.o.......1.....2...s......o.............o

                                              C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\g0dvHLi4bP.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Reputation:unknown
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\g0dvHLi4bP.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):536064
                                              Entropy (8bit):7.963464056116047
                                              Encrypted:false
                                              SSDEEP:12288:P2L2I3WfZbHLfAFrv3fjx5u45RXKmMPA6KAzVb9Dg+qyx2H:P25I17A1vtg43KpPA6Nb98+qyx2H
                                              MD5:4C414B473BCCBBCE2C7CDE00248EA1A1
                                              SHA1:77BF848D5A1D4D0FDC252AA170E7B8AF19BCC012
                                              SHA-256:7BB212946FDEB406C7AA8F691405D185065514D5DC1F269F8E409762FF9F6915
                                              SHA-512:0FA66C53045E9E74D294420D66DEADCAD7EE56D13E33DD90E73B0DE1E6958CD3B5C347E13E85797895BBAC5F23B3CC3926D6B9A75F242EF2379D93230C7B0F9B
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 31%
                                              Reputation:unknown
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....u................0.."..........Z@... ...`....@.. ....................................@..................................@..O....`..<............................?............................................... ............... ..H............text...` ... ...".................. ..`.rsrc...<....`.......$..............@..@.reloc...............,..............@..B................<@......H.......<H...0...........x.. ............................................0............}.....(.......(.....~....t2.....3...%.r...p.%.~.....%.r...p.%.~.....%.r...p.%.~.....%.r...p.(....o.......r...p......%.......%.r)..p.%.rG..p.%.rY..p....(.....*...{....rg..p%.-...o..... .........*.0.............{....o.....0...(.........,..r{..p(....&....r...p..r...p(......,..r...p(....&.v.r...p(........,..r...p(....&s........o......H.(....&...9...%..:.o.......1.....2...s......o.............o

                                              C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\g0dvHLi4bP.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Reputation:unknown
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              C:\Users\user\Documents\20220504\PowerShell_transcript.302494.9BrDU9eF.20220504170044.txt

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):5807
                                              Entropy (8bit):5.392757491075899
                                              Encrypted:false
                                              SSDEEP:96:BZp/AZNsqDo1ZSZ3/AZNsqDo1ZR5PhjZ4/AZNsqDo1ZacRRDZw:k
                                              MD5:32E8DB16DD68F89E485E50B09244EC15
                                              SHA1:9D9603BDC78658E9E4224DDFBE085827D4CA5A7E
                                              SHA-256:987995A1AB28758D3AF5782BEE36DA9657011669D31200ED43EC2B7FDC146757
                                              SHA-512:6DB9F4B1090662FF98CD6246F1E737F90C46FCFE5D0D0B4697792A661F7E6DF83F01A69DE738DBA7FEA5B183E509098A81B493554DB0179330C83A562DD0928A
                                              Malicious:false
                                              Reputation:unknown
                                              Preview:.**********************..Windows PowerShell transcript start..Start time: 20220504170046..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 302494 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe..Process ID: 7028..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220504170046..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe..**********************..Windows PowerShell transcript start..Start time: 20220504170310..Username: computer\user..RunAs User: DESKTOP-716

                                              C:\Users\user\Documents\20220504\PowerShell_transcript.302494.Si+7UG0m.20220504170002.txt

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):5807
                                              Entropy (8bit):5.3977275389029815
                                              Encrypted:false
                                              SSDEEP:96:BZS/AZNGqDo1Z3ZB/AZNGqDo1Zi5PhjZa/AZNGqDo1Z3cRRoZT:S
                                              MD5:6B817459B04BE9489F42E626B6DC8A60
                                              SHA1:92EB9952E3D42C49FF1617E2D30515F574E608C2
                                              SHA-256:52D51ABABD9EA021CB841743B99361348CE4FD47A25C17C2000CAC813F8F7789
                                              SHA-512:3A0E1748F60B6FA3A885B610CF803F5F9BD9B2DE6C86BFD42894B959FC0BE09DCFBAC166634F79109A67E6DD9A6A871FBD67E9F24640694BA2A6024ED92BA029
                                              Malicious:false
                                              Reputation:unknown
                                              Preview:.**********************..Windows PowerShell transcript start..Start time: 20220504170003..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 302494 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe..Process ID: 5868..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220504170003..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe..**********************..Windows PowerShell transcript start..Start time: 20220504170356..Username: computer\user..RunAs User: DESKTOP-716

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.963464056116047
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              • DOS Executable Generic (2002/1) 0.01%
                                              File name:g0dvHLi4bP.exe
                                              File size:536064
                                              MD5:4c414b473bccbbce2c7cde00248ea1a1
                                              SHA1:77bf848d5a1d4d0fdc252aa170e7b8af19bcc012
                                              SHA256:7bb212946fdeb406c7aa8f691405d185065514d5dc1f269f8e409762ff9f6915
                                              SHA512:0fa66c53045e9e74d294420d66deadcad7ee56d13e33dd90e73b0de1e6958cd3b5c347e13e85797895bbac5f23b3cc3926d6b9a75f242ef2379d93230c7b0f9b
                                              SSDEEP:12288:P2L2I3WfZbHLfAFrv3fjx5u45RXKmMPA6KAzVb9Dg+qyx2H:P25I17A1vtg43KpPA6Nb98+qyx2H
                                              TLSH:8CB4120462F38336FBB972F26A6453C123753A4DB026F6A82C9093EE9CC1B5B5554F53
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....u................0.."..........Z@... ...`....@.. ....................................@................................

                                              File Icon

                                              Icon Hash:00828e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0x48405a
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                              Time Stamp:0xD8BB75AE [Fri Mar 23 05:33:34 2085 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:v4.0.30319
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x840080x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x860000x63c.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x880000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x83fec0x1c.text
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000x820600x82200False0.956357693924data7.97222784974IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                              .rsrc0x860000x63c0x800False0.35009765625data3.50595023872IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x880000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_VERSION0x860900x3acdata
                                              RT_MANIFEST0x8644c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Version Infos

                                              DescriptionData
                                              Translation0x0000 0x04b0
                                              LegalCopyrightCopyright 2020-2021 by David Xanatos (xanasoft.com)
                                              Assembly Version1.0.0.0
                                              InternalNamePolicyExcept.exe
                                              FileVersion1.0.0.0
                                              CompanyNamesandboxie-plus.com
                                              LegalTrademarks
                                              Comments
                                              ProductNameSandboxie
                                              ProductVersion1.0.0.0
                                              FileDescriptionSandboxie Installer
                                              OriginalFilenamePolicyExcept.exe

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              May 4, 2022 17:00:25.724492073 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:25.921848059 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:25.921967983 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:27.126470089 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:27.126799107 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:27.324078083 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:27.324179888 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:27.324503899 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:27.522455931 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:27.581762075 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:27.779381037 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:27.779432058 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:27.779459000 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:27.779479980 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:27.779582977 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:27.779632092 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:27.781455994 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:27.856467009 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:27.977020979 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:28.006202936 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:28.204210043 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:28.247243881 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:28.367575884 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:28.565136909 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:28.566299915 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:28.764785051 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:28.767256021 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:28.967353106 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:29.068176985 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:29.074171066 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:29.273842096 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:29.292809010 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:29.502237082 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:29.506899118 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:29.705562115 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:29.706659079 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:29.706773043 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:29.707461119 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:29.707537889 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:00:29.904197931 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:29.904995918 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:30.056780100 CEST58749782162.222.225.16192.168.2.5
                                              May 4, 2022 17:00:30.247364998 CEST49782587192.168.2.5162.222.225.16
                                              May 4, 2022 17:01:17.341106892 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:17.538479090 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:17.538868904 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:18.743863106 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:18.746946096 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:18.944420099 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:18.944461107 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:18.950834990 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:19.148854017 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:19.203214884 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:19.400837898 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:19.400871038 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:19.400893927 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:19.400909901 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:19.400974989 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:19.401024103 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:19.403031111 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:19.460330009 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:19.599139929 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:19.604698896 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:19.804348946 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:19.854656935 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:19.952203035 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:20.149756908 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:20.150518894 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:20.349066019 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:20.349889994 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:20.550350904 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:20.550903082 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:20.750528097 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:20.751018047 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:20.965641022 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:20.966207027 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:21.164452076 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:21.165565968 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:21.165731907 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:21.165860891 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:21.165971041 CEST49799587192.168.2.5162.222.225.29
                                              May 4, 2022 17:01:21.362831116 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:21.362926960 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:21.503638983 CEST58749799162.222.225.29192.168.2.5
                                              May 4, 2022 17:01:21.663621902 CEST49799587192.168.2.5162.222.225.29

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              May 4, 2022 17:00:25.672841072 CEST6246653192.168.2.58.8.8.8
                                              May 4, 2022 17:00:25.694880962 CEST53624668.8.8.8192.168.2.5
                                              May 4, 2022 17:01:17.260657072 CEST6324153192.168.2.58.8.8.8
                                              May 4, 2022 17:01:17.281758070 CEST53632418.8.8.8192.168.2.5

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              May 4, 2022 17:00:25.672841072 CEST192.168.2.58.8.8.80xcc9cStandard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)
                                              May 4, 2022 17:01:17.260657072 CEST192.168.2.58.8.8.80xe78bStandard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              May 4, 2022 17:00:25.694880962 CEST8.8.8.8192.168.2.50xcc9cNo error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                              May 4, 2022 17:00:25.694880962 CEST8.8.8.8192.168.2.50xcc9cNo error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                              May 4, 2022 17:00:25.694880962 CEST8.8.8.8192.168.2.50xcc9cNo error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                              May 4, 2022 17:00:25.694880962 CEST8.8.8.8192.168.2.50xcc9cNo error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                              May 4, 2022 17:01:17.281758070 CEST8.8.8.8192.168.2.50xe78bNo error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                              May 4, 2022 17:01:17.281758070 CEST8.8.8.8192.168.2.50xe78bNo error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                              May 4, 2022 17:01:17.281758070 CEST8.8.8.8192.168.2.50xe78bNo error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                              May 4, 2022 17:01:17.281758070 CEST8.8.8.8192.168.2.50xe78bNo error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)

                                              SMTP Packets

                                              TimestampSource PortDest PortSource IPDest IPCommands
                                              May 4, 2022 17:00:27.126470089 CEST58749782162.222.225.16192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                              May 4, 2022 17:00:27.126799107 CEST49782587192.168.2.5162.222.225.16EHLO 302494
                                              May 4, 2022 17:00:27.324179888 CEST58749782162.222.225.16192.168.2.5250-us2.outbound.mailhostbox.com
                                              250-PIPELINING
                                              250-SIZE 41648128
                                              250-VRFY
                                              250-ETRN
                                              250-STARTTLS
                                              250-AUTH PLAIN LOGIN
                                              250-AUTH=PLAIN LOGIN
                                              250-ENHANCEDSTATUSCODES
                                              250-8BITMIME
                                              250-DSN
                                              250 CHUNKING
                                              May 4, 2022 17:00:27.324503899 CEST49782587192.168.2.5162.222.225.16STARTTLS
                                              May 4, 2022 17:00:27.522455931 CEST58749782162.222.225.16192.168.2.5220 2.0.0 Ready to start TLS
                                              May 4, 2022 17:01:18.743863106 CEST58749799162.222.225.29192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                              May 4, 2022 17:01:18.746946096 CEST49799587192.168.2.5162.222.225.29EHLO 302494
                                              May 4, 2022 17:01:18.944461107 CEST58749799162.222.225.29192.168.2.5250-us2.outbound.mailhostbox.com
                                              250-PIPELINING
                                              250-SIZE 41648128
                                              250-VRFY
                                              250-ETRN
                                              250-STARTTLS
                                              250-AUTH PLAIN LOGIN
                                              250-AUTH=PLAIN LOGIN
                                              250-ENHANCEDSTATUSCODES
                                              250-8BITMIME
                                              250-DSN
                                              250 CHUNKING
                                              May 4, 2022 17:01:18.950834990 CEST49799587192.168.2.5162.222.225.29STARTTLS
                                              May 4, 2022 17:01:19.148854017 CEST58749799162.222.225.29192.168.2.5220 2.0.0 Ready to start TLS

                                              Statistics

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:16:59:39
                                              Start date:04/05/2022
                                              Path:C:\Users\user\Desktop\g0dvHLi4bP.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\g0dvHLi4bP.exe"
                                              Imagebase:0x620000
                                              File size:536064 bytes
                                              MD5 hash:4C414B473BCCBBCE2C7CDE00248EA1A1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.501848453.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.502149951.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.504524116.0000000003B12000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.504524116.0000000003B12000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low

                                              General

                                              Target ID:4
                                              Start time:17:00:00
                                              Start date:04/05/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe
                                              Imagebase:0x920000
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Reputation:high

                                              General

                                              Target ID:5
                                              Start time:17:00:01
                                              Start date:04/05/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff77f440000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:6
                                              Start time:17:00:01
                                              Start date:04/05/2022
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyfhOEwABQlG" /XML "C:\Users\user\AppData\Local\Temp\tmpF6C5.tmp
                                              Imagebase:0xe30000
                                              File size:185856 bytes
                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:7
                                              Start time:17:00:02
                                              Start date:04/05/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff77f440000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:8
                                              Start time:17:00:04
                                              Start date:04/05/2022
                                              Path:C:\Users\user\Desktop\g0dvHLi4bP.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\Desktop\g0dvHLi4bP.exe
                                              Imagebase:0xbd0000
                                              File size:536064 bytes
                                              MD5 hash:4C414B473BCCBBCE2C7CDE00248EA1A1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.487111726.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.487111726.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.488270274.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.488270274.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.487666234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.487666234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.489038629.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.489038629.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.696067771.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000002.696067771.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.704236786.0000000003021000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.704236786.0000000003021000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low

                                              General

                                              Target ID:12
                                              Start time:17:00:26
                                              Start date:04/05/2022
                                              Path:C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe"
                                              Imagebase:0x780000
                                              File size:536064 bytes
                                              MD5 hash:4C414B473BCCBBCE2C7CDE00248EA1A1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.606786408.0000000003CE2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000C.00000002.606786408.0000000003CE2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000C.00000002.603631401.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000C.00000002.604682206.0000000002D5C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Antivirus matches:
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 31%, ReversingLabs
                                              Reputation:low

                                              General

                                              Target ID:15
                                              Start time:17:00:35
                                              Start date:04/05/2022
                                              Path:C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe"
                                              Imagebase:0xc50000
                                              File size:536064 bytes
                                              MD5 hash:4C414B473BCCBBCE2C7CDE00248EA1A1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000F.00000002.594985042.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low

                                              General

                                              Target ID:17
                                              Start time:17:00:41
                                              Start date:04/05/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyfhOEwABQlG.exe
                                              Imagebase:0x920000
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Reputation:high

                                              General

                                              Target ID:18
                                              Start time:17:00:42
                                              Start date:04/05/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff77f440000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:19
                                              Start time:17:00:44
                                              Start date:04/05/2022
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyfhOEwABQlG" /XML "C:\Users\user\AppData\Local\Temp\tmp972C.tmp
                                              Imagebase:0xe30000
                                              File size:185856 bytes
                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:21
                                              Start time:17:00:46
                                              Start date:04/05/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff77f440000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:22
                                              Start time:17:00:52
                                              Start date:04/05/2022
                                              Path:C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                                              Imagebase:0x410000
                                              File size:536064 bytes
                                              MD5 hash:4C414B473BCCBBCE2C7CDE00248EA1A1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:23
                                              Start time:17:00:54
                                              Start date:04/05/2022
                                              Path:C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                                              Imagebase:0x340000
                                              File size:536064 bytes
                                              MD5 hash:4C414B473BCCBBCE2C7CDE00248EA1A1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:24
                                              Start time:17:00:55
                                              Start date:04/05/2022
                                              Path:C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Roaming\AheGmkp\AheGmkp.exe
                                              Imagebase:0xbf0000
                                              File size:536064 bytes
                                              MD5 hash:4C414B473BCCBBCE2C7CDE00248EA1A1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000000.596334236.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000018.00000000.596334236.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000000.595827903.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000018.00000000.595827903.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000000.596964511.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000018.00000000.596964511.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000018.00000002.705211628.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000002.696078477.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000018.00000002.696078477.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000000.595144687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000018.00000000.595144687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security

                                              Disassembly

                                              No disassembly