Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO] G_24370-24396_SI2_S25_8658.exe

Overview

General Information

Sample name:PO] G_24370-24396_SI2_S25_8658.exe
Analysis ID:1559143
MD5:adc8d552e00251dbbdcd0aafe5bd3739
SHA1:bdccf1531860ea4e5c139864707332252ca6d62b
SHA256:0b06f6a3a4102c27376f21cbcd09d3c0bf5e6cc7e92f9b9a3810fc386ac8184d
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64_ra
  • PO] G_24370-24396_SI2_S25_8658.exe (PID: 7060 cmdline: "C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe" MD5: ADC8D552E00251DBBDCD0AAFE5BD3739)
    • powershell.exe (PID: 6292 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6240 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VxQjXFYhdkY.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 2676 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 2864 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VxQjXFYhdkY" /XML "C:\Users\user\AppData\Local\Temp\tmpE291.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "admin@iaa-airferight.com", "Password": "manlikeyou88"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2477991883.000000000342E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000008.00000002.2475525442.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000008.00000002.2475525442.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000008.00000002.2477991883.00000000033E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000008.00000002.2477991883.00000000033E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.PO] G_24370-24396_SI2_S25_8658.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              8.2.PO] G_24370-24396_SI2_S25_8658.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                8.2.PO] G_24370-24396_SI2_S25_8658.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x334cb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3353d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x335c7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33659:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x336c3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33735:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x337cb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x3385b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.PO] G_24370-24396_SI2_S25_8658.exe.4302858.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.PO] G_24370-24396_SI2_S25_8658.exe.4302858.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 10 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe", ParentImage: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe, ParentProcessId: 7060, ParentProcessName: PO] G_24370-24396_SI2_S25_8658.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe", ProcessId: 6292, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe", ParentImage: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe, ParentProcessId: 7060, ParentProcessName: PO] G_24370-24396_SI2_S25_8658.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe", ProcessId: 6292, ProcessName: powershell.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe, Initiated: true, ProcessId: 6524, Protocol: tcp, SourceIp: 192.168.2.16, SourceIsIpv6: false, SourcePort: 49705
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VxQjXFYhdkY" /XML "C:\Users\user\AppData\Local\Temp\tmpE291.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VxQjXFYhdkY" /XML "C:\Users\user\AppData\Local\Temp\tmpE291.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe", ParentImage: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe, ParentProcessId: 7060, ParentProcessName: PO] G_24370-24396_SI2_S25_8658.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VxQjXFYhdkY" /XML "C:\Users\user\AppData\Local\Temp\tmpE291.tmp", ProcessId: 2864, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe", ParentImage: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe, ParentProcessId: 7060, ParentProcessName: PO] G_24370-24396_SI2_S25_8658.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe", ProcessId: 6292, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VxQjXFYhdkY" /XML "C:\Users\user\AppData\Local\Temp\tmpE291.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VxQjXFYhdkY" /XML "C:\Users\user\AppData\Local\Temp\tmpE291.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe", ParentImage: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe, ParentProcessId: 7060, ParentProcessName: PO] G_24370-24396_SI2_S25_8658.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VxQjXFYhdkY" /XML "C:\Users\user\AppData\Local\Temp\tmpE291.tmp", ProcessId: 2864, ProcessName: schtasks.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: PO] G_24370-24396_SI2_S25_8658.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\VxQjXFYhdkY.exeAvira: detection malicious, Label: HEUR/AGEN.1306899
                    Found malware configuration
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.433d278.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "admin@iaa-airferight.com", "Password": "manlikeyou88"}
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\VxQjXFYhdkY.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: PO] G_24370-24396_SI2_S25_8658.exeJoe Sandbox ML: detected
                    Source: PO] G_24370-24396_SI2_S25_8658.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: PO] G_24370-24396_SI2_S25_8658.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 4x nop then jmp 07CABD16h0_2_07CAB5E9
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 4x nop then jmp 07CABD16h0_2_07CAB69E
                    Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                    Source: global trafficTCP traffic: 192.168.2.16:49705 -> 46.175.148.58:25
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: mail.iaa-airferight.com
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000008.00000002.2477991883.0000000003438000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1273906340.00000000032CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1274541036.0000000004271000.00000004.00000800.00020000.00000000.sdmp, PO] G_24370-24396_SI2_S25_8658.exe, 00000008.00000002.2475525442.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.433d278.2.raw.unpack, SKTzxzsJw.cs.Net Code: sf6jJs8S
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4302858.1.raw.unpack, SKTzxzsJw.cs.Net Code: sf6jJs8S

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 8.2.PO] G_24370-24396_SI2_S25_8658.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4302858.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.433d278.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.433d278.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4302858.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 0_2_018BD51C0_2_018BD51C
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 0_2_07CA23200_2_07CA2320
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 0_2_07CACF190_2_07CACF19
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 0_2_07CA57B80_2_07CA57B8
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 0_2_07CA53800_2_07CA5380
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 0_2_07CA72C80_2_07CA72C8
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 0_2_07CA60280_2_07CA6028
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 0_2_07CA60270_2_07CA6027
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 0_2_07CA5BE90_2_07CA5BE9
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 0_2_07CA5BF00_2_07CA5BF0
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 8_2_01A6D0F88_2_01A6D0F8
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 8_2_01A6B0108_2_01A6B010
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 8_2_01A6A3F88_2_01A6A3F8
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 8_2_01A6A7408_2_01A6A740
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 8_2_069721308_2_06972130
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 8_2_069730788_2_06973078
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 8_2_069754B88_2_069754B8
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1274541036.0000000004271000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs PO] G_24370-24396_SI2_S25_8658.exe
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1276526253.0000000005B00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs PO] G_24370-24396_SI2_S25_8658.exe
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1278253591.0000000007FA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs PO] G_24370-24396_SI2_S25_8658.exe
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1273906340.00000000032CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs PO] G_24370-24396_SI2_S25_8658.exe
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277724023.0000000007BB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamejaUa.exe6 vs PO] G_24370-24396_SI2_S25_8658.exe
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1272577083.00000000012EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO] G_24370-24396_SI2_S25_8658.exe
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1274541036.00000000044D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs PO] G_24370-24396_SI2_S25_8658.exe
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000000.1225431580.0000000000DF8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamejaUa.exe6 vs PO] G_24370-24396_SI2_S25_8658.exe
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000008.00000002.2475525442.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs PO] G_24370-24396_SI2_S25_8658.exe
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000008.00000002.2476084613.00000000014F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PO] G_24370-24396_SI2_S25_8658.exe
                    Source: PO] G_24370-24396_SI2_S25_8658.exeBinary or memory string: OriginalFilenamejaUa.exe6 vs PO] G_24370-24396_SI2_S25_8658.exe
                    Source: PO] G_24370-24396_SI2_S25_8658.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 8.2.PO] G_24370-24396_SI2_S25_8658.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4302858.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.433d278.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.433d278.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4302858.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: PO] G_24370-24396_SI2_S25_8658.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: VxQjXFYhdkY.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.433d278.2.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.433d278.2.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.433d278.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.433d278.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.433d278.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.433d278.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.433d278.2.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.433d278.2.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.7fa0000.4.raw.unpack, MVfNXuELv1PY47s9c1.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4509a28.0.raw.unpack, mwp7Eiwcp4pwiQj9Xn.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4509a28.0.raw.unpack, mwp7Eiwcp4pwiQj9Xn.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4509a28.0.raw.unpack, mwp7Eiwcp4pwiQj9Xn.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4509a28.0.raw.unpack, MVfNXuELv1PY47s9c1.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.7fa0000.4.raw.unpack, mwp7Eiwcp4pwiQj9Xn.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.7fa0000.4.raw.unpack, mwp7Eiwcp4pwiQj9Xn.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.7fa0000.4.raw.unpack, mwp7Eiwcp4pwiQj9Xn.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@13/12@1/1
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeFile created: C:\Users\user\AppData\Roaming\VxQjXFYhdkY.exeJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3860:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6348:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:120:WilError_03
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeMutant created: \Sessions\1\BaseNamedObjects\OvgQqnLtifSbE
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeFile created: C:\Users\user\AppData\Local\Temp\tmpE291.tmpJump to behavior
                    Source: PO] G_24370-24396_SI2_S25_8658.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: PO] G_24370-24396_SI2_S25_8658.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeFile read: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe "C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe"
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VxQjXFYhdkY.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VxQjXFYhdkY" /XML "C:\Users\user\AppData\Local\Temp\tmpE291.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess created: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe "C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VxQjXFYhdkY.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VxQjXFYhdkY" /XML "C:\Users\user\AppData\Local\Temp\tmpE291.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess created: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe "C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: PO] G_24370-24396_SI2_S25_8658.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: PO] G_24370-24396_SI2_S25_8658.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.7fa0000.4.raw.unpack, mwp7Eiwcp4pwiQj9Xn.cs.Net Code: D1DV1tIN8q System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4509a28.0.raw.unpack, mwp7Eiwcp4pwiQj9Xn.cs.Net Code: D1DV1tIN8q System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 0_2_07CA4783 push es; retf 0_2_07CA4792
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 0_2_07CA4774 push es; retf 0_2_07CA4782
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 0_2_07CA5368 push ecx; retf 0007h0_2_07CA536A
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 0_2_07CA5282 push es; retf 0_2_07CA5283
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 0_2_07CA50C4 push es; retf 0_2_07CA50C5
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 0_2_07CA508A push es; retf 0_2_07CA508C
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 0_2_07CA509B push es; retf 0_2_07CA50A2
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 0_2_07CA5091 push es; retf 0_2_07CA5092
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 0_2_07CA50A7 push es; retf 0_2_07CA50A8
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 0_2_07CA4F84 push es; retf 0_2_07CA4F8D
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 0_2_07CA4F38 push es; retf 0_2_07CA4F39
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 0_2_07CA4E33 push es; retf 0_2_07CA4E34
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 0_2_07CA4CCB push es; retf 0_2_07CA4CCD
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 0_2_07CA4CD2 push es; retf 0_2_07CA4CD3
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 0_2_07CA4CFF push es; retf 0_2_07CA4D00
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 0_2_07CA48E3 push cs; retf 0_2_07CA48F2
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 8_2_01A6BFE8 push esp; ret 8_2_01A6BFFD
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 8_2_0697ECB0 push es; ret 8_2_0697ECC0
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeCode function: 8_2_06977102 push es; ret 8_2_06977110
                    Source: PO] G_24370-24396_SI2_S25_8658.exeStatic PE information: section name: .text entropy: 7.933918976784444
                    Source: VxQjXFYhdkY.exe.0.drStatic PE information: section name: .text entropy: 7.933918976784444
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.7fa0000.4.raw.unpack, vtch46YO90XtOrUTp9.csHigh entropy of concatenated method names: 'l2qmXtvHfV', 'JxOmOVUmWn', 'UgLmjGJHWY', 'hHpmGf2Dgr', 'PCFmWhVOZO', 'YcImw3KJ11', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.7fa0000.4.raw.unpack, d77XqbcqvedpqQSLRG.csHigh entropy of concatenated method names: 'o3CjonacIU', 'EYTjpSflXD', 'HUDj1Q5tg7', 'hVEjh89L7w', 'zWEjL84VmL', 'IstjK62vxE', 'R9njuWXLHW', 'hE2j3iA6rW', 'cGpuhpkdfDXbeohtfBv', 'KiyEqOkDY1S8dEGVp8U'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.7fa0000.4.raw.unpack, i8TCGSzhIFNXFrCaNb.csHigh entropy of concatenated method names: 'I3gmLX4Iu7', 'Kx8mEZCHok', 'bHgmuANhHv', 'LMkmRnbXPX', 'QhjmUQdsEc', 'wAJmcOQSPM', 'GlQmvx1yRt', 'WZ5moWX6yG', 'bo4mpJNXWW', 'BjPmyhnvPG'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.7fa0000.4.raw.unpack, BVJ8we3yZQ2puFy4KA.csHigh entropy of concatenated method names: 'LR7OAgRJMQ', 'E4uOKsdhwB', 'xMfXF6hhqP', 'bNVXcujqKB', 'y51XvBGgd8', 'rGOXauVi5Y', 'AP9Xf0toTt', 'IUCX9xI4bB', 'MfUXMWPyrA', 'BWZX6R8f2x'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.7fa0000.4.raw.unpack, xi93dHxsxDMH8omRsiw.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GchmBd2OYj', 'DfFmbFcQCt', 'm0Tm4T8Maa', 'wHomISaRPc', 'zY0mrPLfnI', 'tYomNbXQMg', 'yuKmSfoDfs'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.7fa0000.4.raw.unpack, hCgUrr0eFkI5XY0P4W.csHigh entropy of concatenated method names: 'GtfWkICWTb', 'KbaWQsQ1WL', 'bKOWWyIr2V', 'bHqWiuKl20', 'GjQWgQxmVm', 'sgJWoH2lKj', 'Dispose', 'gFBlnoE5lJ', 'lWQlqlc2Ym', 'KZKlXkO7gQ'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.7fa0000.4.raw.unpack, qhJWnR4EwQykKKej0S.csHigh entropy of concatenated method names: 'HDDJEG1Qqf', 'dxmJuVbn9l', 'vPkJR0D1vH', 'LN2JUNSBER', 'tdtJcyWOgh', 'TtMJvj6EYF', 'ddMJfHLlx2', 'udWJ9EJniF', 'Q1jJ6YUiyc', 'KvUJBA3Sqk'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.7fa0000.4.raw.unpack, blHjFhtXDjatYEddY4.csHigh entropy of concatenated method names: 'QmGWRmraH3', 'miaWUxh4iv', 'C3TWFqqF6B', 'XhJWcJ20eD', 'OMVWvhusjo', 'J93WaUgD9H', 'U8JWfhWmsn', 'Lj7W9tx4BR', 'FYDWMCn4j0', 'M4yW6RT8fx'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.7fa0000.4.raw.unpack, lE3xLExx4yRHP8Gjl8O.csHigh entropy of concatenated method names: 'B2smYDNg1A', 'YtZmz1PNCJ', 'QLrisJeZCw', 'B3Jix5sZZ3', 'Y6nidej2W2', 'w8JiH8UMDi', 'qG6iVgdNyi', 'FHriPXxnp6', 'k0sin8dKcc', 'X3biq9D7tq'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.7fa0000.4.raw.unpack, PYuXog2XHWZlDMdMZy.csHigh entropy of concatenated method names: 'G5MQeJ0Ob7', 'PEEQYEUKYb', 'of4lsFanGg', 'dfNlxH9RbC', 'S58QB3w1jB', 'pBuQbywOwv', 'SCUQ43UfhK', 'hK2QI4uOv9', 'WsjQrhOZyT', 'MXaQNmorXB'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.7fa0000.4.raw.unpack, WUyltgI5o6ZgK2WP1H.csHigh entropy of concatenated method names: 'bCQk6M31ke', 'vUkkb9G1H3', 'YcfkIvqPJc', 'fi2krwVuEH', 'vjWkUH3Drb', 'sjrkFKIxtJ', 'phFkcwEDEs', 'McdkvnqgW2', 'f08kaBGGF8', 'VCTkf9PuqD'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.7fa0000.4.raw.unpack, MVfNXuELv1PY47s9c1.csHigh entropy of concatenated method names: 'xw9qI6KflP', 'jIsqrUgrmu', 'svXqNoGA0m', 'P25qSlo5hZ', 'uBUq7yQ6cQ', 'XHJq20tKwH', 'tPVq0QBg6H', 'Amyqe1e9Sd', 'W6Rqt2gKIm', 'PIvqYVN2vO'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.7fa0000.4.raw.unpack, mwp7Eiwcp4pwiQj9Xn.csHigh entropy of concatenated method names: 'VkAHPjx3Ue', 'Hm9HnOWjZL', 'lHaHqeknC5', 'LfwHXNk6Xx', 'xLoHOQiBDx', 'dU0HjcMSAf', 'tUlHGdbiwT', 'WFgHwJxAn5', 'o6pHZoO5nc', 'xhSHTjpRNG'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.7fa0000.4.raw.unpack, eQFYfaRl2B3Rg6Kqil.csHigh entropy of concatenated method names: 'TL6jPs59Fh', 'amajq6huXG', 'wRGjOmWsQt', 'GT5jGZGaro', 'og1jwxHyeV', 'KKOO7tg1Ki', 'VCXO2MjQha', 'uTyO02HDUO', 'EfpOepLVrK', 'YN1OtKGM3I'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.7fa0000.4.raw.unpack, gv9lp2f3vfoYOKUnw4.csHigh entropy of concatenated method names: 'QrEGnYHB03', 'd53GXFy96i', 'RhGGjLpxwl', 'MeOjYXfZUO', 'n9GjzU0GoM', 'MsEGsFLXd0', 'chpGxxAOH3', 'mNnGdi1vV4', 'tGSGHMI6n6', 'e77GVFehL1'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.7fa0000.4.raw.unpack, mCEUSLu2HVAxcj9MLj.csHigh entropy of concatenated method names: 'V9BXhBIUbd', 'm0xXLtovpu', 'L7SXE9HGrE', 'pKxXujmZ3w', 'ivOXkw2LuK', 'SGUXDk48dn', 'AxuXQROkph', 'dgXXlbM47C', 'YndXWs1H2W', 'r7cXm2p4jT'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.7fa0000.4.raw.unpack, QHRLEaq8QafEmkxm8E.csHigh entropy of concatenated method names: 'Dispose', 'oI5xtXY0P4', 'msvdU1CFyp', 'v6DTuKI9CU', 'sfdxYBQ2CG', 'sA1xzyjk4R', 'ProcessDialogKey', 'o2ddslHjFh', 'gDjdxatYEd', 'cY4ddgtch4'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.7fa0000.4.raw.unpack, XfhyyuxdptwT9CrFpp3.csHigh entropy of concatenated method names: 'ToString', 'ouPiEGTKM1', 'YyMiuoSdl3', 'LhXi3ewOx4', 'U5ZiR094RB', 'XyCiUZAbhr', 'woSiFn8HcO', 'T5yicwJgU9', 't6sIwkJqc9qMNPagiVR', 'ceatSGJUHyolCxFdX29'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.7fa0000.4.raw.unpack, xJiUvJdSOwk2IKU3P2.csHigh entropy of concatenated method names: 'vgv1gxJ9H', 'HpEhKq0ty', 'mQ8LgeCXV', 'aUNKaL315', 'pKXu3LCAT', 'e8a35MEqS', 'npKUlIpgVyyMVT3pwC', 'g5pKgAfoGnJHdW6Rs2', 'UwylkqEPR', 'oR7m3IsnN'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.7fa0000.4.raw.unpack, We5DyIM5S1d3v5tWUG.csHigh entropy of concatenated method names: 'J6nGp9gbLZ', 'V64GyJTFie', 'cQDG1chDOy', 'HVRGhMZ1w3', 'pE2GASNeXm', 'JvKGLD55dG', 'xnvGKhN9LX', 'oBcGENVCiZ', 'mmmGudObO5', 'OmCG3BCh4R'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.7fa0000.4.raw.unpack, uwGRIvVnaJ1rs3AesQ.csHigh entropy of concatenated method names: 'VpMxGVfNXu', 'Bv1xwPY47s', 'C2HxTVAxcj', 'MMLx8jLVJ8', 'Hy4xkKAPQF', 'YfaxDl2B3R', 'FhagZlCNxMUqcSrPqy', 'qXDoarbT7v1YjOpJNk', 'EjQxx56GKj', 'CyqxHv2bHW'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.7fa0000.4.raw.unpack, y7vHnpXbTQd5M9AyJn.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'giEdtFBhtj', 'Y8rdYvB5gM', 'TTudziAoAL', 'zrhHsAtTML', 'udvHxqkGgx', 'wVHHd5Ub1J', 'PrqHHfoyrK', 'jrqb4m9j6ThpOaxlqDf'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.7fa0000.4.raw.unpack, q7suDPU5dkfR4akZOW.csHigh entropy of concatenated method names: 'it6vAMkLtVLUwPuEJF4', 'yALYx7kS22WuwU4UBNF', 'phsjlaJIeI', 'rGejWaKHgS', 't94jmuPEcm', 'VWGMvIkmmp34uBHUGCT', 'XebBfZkG88kn1H1fkDd'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4509a28.0.raw.unpack, vtch46YO90XtOrUTp9.csHigh entropy of concatenated method names: 'l2qmXtvHfV', 'JxOmOVUmWn', 'UgLmjGJHWY', 'hHpmGf2Dgr', 'PCFmWhVOZO', 'YcImw3KJ11', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4509a28.0.raw.unpack, d77XqbcqvedpqQSLRG.csHigh entropy of concatenated method names: 'o3CjonacIU', 'EYTjpSflXD', 'HUDj1Q5tg7', 'hVEjh89L7w', 'zWEjL84VmL', 'IstjK62vxE', 'R9njuWXLHW', 'hE2j3iA6rW', 'cGpuhpkdfDXbeohtfBv', 'KiyEqOkDY1S8dEGVp8U'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4509a28.0.raw.unpack, i8TCGSzhIFNXFrCaNb.csHigh entropy of concatenated method names: 'I3gmLX4Iu7', 'Kx8mEZCHok', 'bHgmuANhHv', 'LMkmRnbXPX', 'QhjmUQdsEc', 'wAJmcOQSPM', 'GlQmvx1yRt', 'WZ5moWX6yG', 'bo4mpJNXWW', 'BjPmyhnvPG'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4509a28.0.raw.unpack, BVJ8we3yZQ2puFy4KA.csHigh entropy of concatenated method names: 'LR7OAgRJMQ', 'E4uOKsdhwB', 'xMfXF6hhqP', 'bNVXcujqKB', 'y51XvBGgd8', 'rGOXauVi5Y', 'AP9Xf0toTt', 'IUCX9xI4bB', 'MfUXMWPyrA', 'BWZX6R8f2x'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4509a28.0.raw.unpack, xi93dHxsxDMH8omRsiw.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GchmBd2OYj', 'DfFmbFcQCt', 'm0Tm4T8Maa', 'wHomISaRPc', 'zY0mrPLfnI', 'tYomNbXQMg', 'yuKmSfoDfs'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4509a28.0.raw.unpack, hCgUrr0eFkI5XY0P4W.csHigh entropy of concatenated method names: 'GtfWkICWTb', 'KbaWQsQ1WL', 'bKOWWyIr2V', 'bHqWiuKl20', 'GjQWgQxmVm', 'sgJWoH2lKj', 'Dispose', 'gFBlnoE5lJ', 'lWQlqlc2Ym', 'KZKlXkO7gQ'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4509a28.0.raw.unpack, qhJWnR4EwQykKKej0S.csHigh entropy of concatenated method names: 'HDDJEG1Qqf', 'dxmJuVbn9l', 'vPkJR0D1vH', 'LN2JUNSBER', 'tdtJcyWOgh', 'TtMJvj6EYF', 'ddMJfHLlx2', 'udWJ9EJniF', 'Q1jJ6YUiyc', 'KvUJBA3Sqk'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4509a28.0.raw.unpack, blHjFhtXDjatYEddY4.csHigh entropy of concatenated method names: 'QmGWRmraH3', 'miaWUxh4iv', 'C3TWFqqF6B', 'XhJWcJ20eD', 'OMVWvhusjo', 'J93WaUgD9H', 'U8JWfhWmsn', 'Lj7W9tx4BR', 'FYDWMCn4j0', 'M4yW6RT8fx'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4509a28.0.raw.unpack, lE3xLExx4yRHP8Gjl8O.csHigh entropy of concatenated method names: 'B2smYDNg1A', 'YtZmz1PNCJ', 'QLrisJeZCw', 'B3Jix5sZZ3', 'Y6nidej2W2', 'w8JiH8UMDi', 'qG6iVgdNyi', 'FHriPXxnp6', 'k0sin8dKcc', 'X3biq9D7tq'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4509a28.0.raw.unpack, PYuXog2XHWZlDMdMZy.csHigh entropy of concatenated method names: 'G5MQeJ0Ob7', 'PEEQYEUKYb', 'of4lsFanGg', 'dfNlxH9RbC', 'S58QB3w1jB', 'pBuQbywOwv', 'SCUQ43UfhK', 'hK2QI4uOv9', 'WsjQrhOZyT', 'MXaQNmorXB'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4509a28.0.raw.unpack, WUyltgI5o6ZgK2WP1H.csHigh entropy of concatenated method names: 'bCQk6M31ke', 'vUkkb9G1H3', 'YcfkIvqPJc', 'fi2krwVuEH', 'vjWkUH3Drb', 'sjrkFKIxtJ', 'phFkcwEDEs', 'McdkvnqgW2', 'f08kaBGGF8', 'VCTkf9PuqD'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4509a28.0.raw.unpack, MVfNXuELv1PY47s9c1.csHigh entropy of concatenated method names: 'xw9qI6KflP', 'jIsqrUgrmu', 'svXqNoGA0m', 'P25qSlo5hZ', 'uBUq7yQ6cQ', 'XHJq20tKwH', 'tPVq0QBg6H', 'Amyqe1e9Sd', 'W6Rqt2gKIm', 'PIvqYVN2vO'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4509a28.0.raw.unpack, mwp7Eiwcp4pwiQj9Xn.csHigh entropy of concatenated method names: 'VkAHPjx3Ue', 'Hm9HnOWjZL', 'lHaHqeknC5', 'LfwHXNk6Xx', 'xLoHOQiBDx', 'dU0HjcMSAf', 'tUlHGdbiwT', 'WFgHwJxAn5', 'o6pHZoO5nc', 'xhSHTjpRNG'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4509a28.0.raw.unpack, eQFYfaRl2B3Rg6Kqil.csHigh entropy of concatenated method names: 'TL6jPs59Fh', 'amajq6huXG', 'wRGjOmWsQt', 'GT5jGZGaro', 'og1jwxHyeV', 'KKOO7tg1Ki', 'VCXO2MjQha', 'uTyO02HDUO', 'EfpOepLVrK', 'YN1OtKGM3I'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4509a28.0.raw.unpack, gv9lp2f3vfoYOKUnw4.csHigh entropy of concatenated method names: 'QrEGnYHB03', 'd53GXFy96i', 'RhGGjLpxwl', 'MeOjYXfZUO', 'n9GjzU0GoM', 'MsEGsFLXd0', 'chpGxxAOH3', 'mNnGdi1vV4', 'tGSGHMI6n6', 'e77GVFehL1'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4509a28.0.raw.unpack, mCEUSLu2HVAxcj9MLj.csHigh entropy of concatenated method names: 'V9BXhBIUbd', 'm0xXLtovpu', 'L7SXE9HGrE', 'pKxXujmZ3w', 'ivOXkw2LuK', 'SGUXDk48dn', 'AxuXQROkph', 'dgXXlbM47C', 'YndXWs1H2W', 'r7cXm2p4jT'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4509a28.0.raw.unpack, QHRLEaq8QafEmkxm8E.csHigh entropy of concatenated method names: 'Dispose', 'oI5xtXY0P4', 'msvdU1CFyp', 'v6DTuKI9CU', 'sfdxYBQ2CG', 'sA1xzyjk4R', 'ProcessDialogKey', 'o2ddslHjFh', 'gDjdxatYEd', 'cY4ddgtch4'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4509a28.0.raw.unpack, XfhyyuxdptwT9CrFpp3.csHigh entropy of concatenated method names: 'ToString', 'ouPiEGTKM1', 'YyMiuoSdl3', 'LhXi3ewOx4', 'U5ZiR094RB', 'XyCiUZAbhr', 'woSiFn8HcO', 'T5yicwJgU9', 't6sIwkJqc9qMNPagiVR', 'ceatSGJUHyolCxFdX29'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4509a28.0.raw.unpack, xJiUvJdSOwk2IKU3P2.csHigh entropy of concatenated method names: 'vgv1gxJ9H', 'HpEhKq0ty', 'mQ8LgeCXV', 'aUNKaL315', 'pKXu3LCAT', 'e8a35MEqS', 'npKUlIpgVyyMVT3pwC', 'g5pKgAfoGnJHdW6Rs2', 'UwylkqEPR', 'oR7m3IsnN'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4509a28.0.raw.unpack, We5DyIM5S1d3v5tWUG.csHigh entropy of concatenated method names: 'J6nGp9gbLZ', 'V64GyJTFie', 'cQDG1chDOy', 'HVRGhMZ1w3', 'pE2GASNeXm', 'JvKGLD55dG', 'xnvGKhN9LX', 'oBcGENVCiZ', 'mmmGudObO5', 'OmCG3BCh4R'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4509a28.0.raw.unpack, uwGRIvVnaJ1rs3AesQ.csHigh entropy of concatenated method names: 'VpMxGVfNXu', 'Bv1xwPY47s', 'C2HxTVAxcj', 'MMLx8jLVJ8', 'Hy4xkKAPQF', 'YfaxDl2B3R', 'FhagZlCNxMUqcSrPqy', 'qXDoarbT7v1YjOpJNk', 'EjQxx56GKj', 'CyqxHv2bHW'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4509a28.0.raw.unpack, y7vHnpXbTQd5M9AyJn.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'giEdtFBhtj', 'Y8rdYvB5gM', 'TTudziAoAL', 'zrhHsAtTML', 'udvHxqkGgx', 'wVHHd5Ub1J', 'PrqHHfoyrK', 'jrqb4m9j6ThpOaxlqDf'
                    Source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4509a28.0.raw.unpack, q7suDPU5dkfR4akZOW.csHigh entropy of concatenated method names: 'it6vAMkLtVLUwPuEJF4', 'yALYx7kS22WuwU4UBNF', 'phsjlaJIeI', 'rGejWaKHgS', 't94jmuPEcm', 'VWGMvIkmmp34uBHUGCT', 'XebBfZkG88kn1H1fkDd'
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeFile created: C:\Users\user\AppData\Roaming\VxQjXFYhdkY.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VxQjXFYhdkY" /XML "C:\Users\user\AppData\Local\Temp\tmpE291.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Icon mismatch, binary includes an icon from a different legit application in order to fool users
                    Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (129).png
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: PO] G_24370-24396_SI2_S25_8658.exe PID: 7060, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeMemory allocated: 18B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeMemory allocated: 3270000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeMemory allocated: 5270000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeMemory allocated: 8120000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeMemory allocated: 9120000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeMemory allocated: 92D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeMemory allocated: A2D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeMemory allocated: 1A20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeMemory allocated: 33E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeMemory allocated: 3320000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5877Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3643Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5431Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4097Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeWindow / User API: threadDelayed 9776Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 7084Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3972Thread sleep count: 5877 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3972Thread sleep count: 3643 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6604Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6588Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 5452Thread sleep count: 90 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -99889s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 5452Thread sleep count: 9776 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -99777s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -99665s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -99554s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -99442s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -99314s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -99186s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -99076s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -98964s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -98853s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -98741s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -98629s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -98501s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -98373s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -98261s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -98150s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -98039s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -97927s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -97799s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -97671s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -97559s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -97447s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -97335s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -97223s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -97095s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -96967s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -96857s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -96745s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -96633s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -96521s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -96393s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -96265s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -96153s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -96041s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -95929s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -95817s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -95689s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -95561s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -95449s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -95338s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -95226s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -95114s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -94986s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -94858s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -94746s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -94634s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -94522s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -94410s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe TID: 2760Thread sleep time: -94282s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 99889Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 99777Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 99665Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 99554Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 99442Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 99314Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 99186Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 99076Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 98964Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 98853Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 98741Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 98629Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 98501Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 98373Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 98261Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 98150Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 98039Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 97927Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 97799Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 97671Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 97559Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 97447Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 97335Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 97223Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 97095Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 96967Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 96857Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 96745Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 96633Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 96521Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 96393Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 96265Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 96153Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 96041Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 95929Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 95817Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 95689Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 95561Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 95449Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 95338Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 95226Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 95114Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 94986Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 94858Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 94746Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 94634Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 94522Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 94410Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeThread delayed: delay time: 94282Jump to behavior
                    Source: PO] G_24370-24396_SI2_S25_8658.exe, 00000008.00000002.2476600579.0000000001759000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe"
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VxQjXFYhdkY.exe"
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VxQjXFYhdkY.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeMemory written: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VxQjXFYhdkY.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VxQjXFYhdkY" /XML "C:\Users\user\AppData\Local\Temp\tmpE291.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeProcess created: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe "C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\userbrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\userbrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\userbrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\userbriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\userFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\userFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\userFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\userST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\userSTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\userSTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\userSTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.3031.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.3031.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 8.2.PO] G_24370-24396_SI2_S25_8658.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4302858.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.433d278.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.433d278.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4302858.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2477991883.000000000342E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2475525442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2477991883.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1274541036.0000000004271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO] G_24370-24396_SI2_S25_8658.exe PID: 7060, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PO] G_24370-24396_SI2_S25_8658.exe PID: 6524, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 8.2.PO] G_24370-24396_SI2_S25_8658.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4302858.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.433d278.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.433d278.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4302858.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2475525442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2477991883.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1274541036.0000000004271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO] G_24370-24396_SI2_S25_8658.exe PID: 7060, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PO] G_24370-24396_SI2_S25_8658.exe PID: 6524, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 8.2.PO] G_24370-24396_SI2_S25_8658.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4302858.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.433d278.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.433d278.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO] G_24370-24396_SI2_S25_8658.exe.4302858.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2477991883.000000000342E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2475525442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2477991883.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1274541036.0000000004271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO] G_24370-24396_SI2_S25_8658.exe PID: 7060, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PO] G_24370-24396_SI2_S25_8658.exe PID: 6524, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		11
                    Masquerading                    		2
                    OS Credential Dumping                    		111
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    DLL Side-Loading                    		1
                    Scheduled Task/Job                    		11
                    Disable or Modify Tools                    		1
                    Input Capture                    		1
                    Process Discovery                    		Remote Desktop Protocol1
                    Input Capture                    		1
                    Non-Application Layer Protocol                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		141
                    Virtualization/Sandbox Evasion                    		1
                    Credentials in Registry                    		141
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares11
                    Archive Collected Data                    		11
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object Model2
                    Data from Local System                    		Protocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                    Obfuscated Files or Information                    		Cached Domain Credentials24
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                    Software Packing                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559143 Sample: PO] G_24370-24396_SI2_S25_8... Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 36 mail.iaa-airferight.com 2->36 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for dropped file 2->44 46 14 other signatures 2->46 8 PO] G_24370-24396_SI2_S25_8658.exe 6 2->8         started        signatures3 process4 file5 30 C:\Users\user\AppData\...\VxQjXFYhdkY.exe, PE32 8->30 dropped 32 C:\Users\...\VxQjXFYhdkY.exe:Zone.Identifier, ASCII 8->32 dropped 34 C:\Users\user\AppData\Local\...\tmpE291.tmp, XML 8->34 dropped 48 Adds a directory exclusion to Windows Defender 8->48 50 Injects a PE file into a foreign processes 8->50 12 PO] G_24370-24396_SI2_S25_8658.exe 2 8->12         started        16 powershell.exe 22 8->16         started        18 powershell.exe 23 8->18         started        20 schtasks.exe 1 8->20         started        signatures6 process7 dnsIp8 38 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 12->38 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->52 54 Tries to steal Mail credentials (via file / registry access) 12->54 56 Tries to harvest and steal ftp login credentials 12->56 58 Tries to harvest and steal browser information (history, passwords, etc) 12->58 60 Loading BitLocker PowerShell Module 16->60 22 WmiPrvSE.exe 16->22         started        24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    PO] G_24370-24396_SI2_S25_8658.exe100%AviraHEUR/AGEN.1306899
                    PO] G_24370-24396_SI2_S25_8658.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\VxQjXFYhdkY.exe100%AviraHEUR/AGEN.1306899
                    C:\Users\user\AppData\Roaming\VxQjXFYhdkY.exe100%Joe Sandbox ML

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.iaa-airferight.com
                    		46.175.148.58
                    		truefalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.apache.org/licenses/LICENSE-2.0PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.comPO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersGPO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bThePO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://account.dyn.com/PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1274541036.0000000004271000.00000004.00000800.00020000.00000000.sdmp, PO] G_24370-24396_SI2_S25_8658.exe, 00000008.00000002.2475525442.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designers?PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://mail.iaa-airferight.comPO] G_24370-24396_SI2_S25_8658.exe, 00000008.00000002.2477991883.0000000003438000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.tiro.comPO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designersPO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.goodfont.co.krPO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.carterandcone.comlPO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.sajatypeworks.comPO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.typography.netDPO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.com/designers/cabarga.htmlNPO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.founder.com.cn/cn/cThePO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.galapagosdesign.com/staff/dennis.htmPO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://fontfabrik.comPO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.founder.com.cn/cnPO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.com/designers/frere-jones.htmlPO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.jiyu-kobo.co.jp/PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.galapagosdesign.com/DPleasePO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.fontbureau.com/designers8PO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.fonts.comPO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.sandoll.co.krPO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.urwpp.deDPleasePO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.zhongyicts.com.cnPO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1273906340.00000000032CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.sakkal.comPO] G_24370-24396_SI2_S25_8658.exe, 00000000.00000002.1277053062.0000000007682000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high

                                                                                World Map of Contacted IPs

                                                                                • No. of IPs < 25%
                                                                                • 25% < No. of IPs < 50%
                                                                                • 50% < No. of IPs < 75%
                                                                                • 75% < No. of IPs

                                                                                Public IPs

                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                46.175.148.58
                                                                                		mail.iaa-airferight.comUkraine
                                                                                		56394ASLAGIDKOM-NETUAfalse

                                                                                General Information

                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                Analysis ID:1559143
                                                                                Start date and time:2024-11-20 08:08:31 +01:00
                                                                                Joe Sandbox product:CloudBasic
                                                                                Overall analysis duration:0h 6m 10s
                                                                                Hypervisor based Inspection enabled:false
                                                                                Report type:full
                                                                                Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                Number of analysed new started processes analysed:19
                                                                                Number of new started drivers analysed:0
                                                                                Number of existing processes analysed:0
                                                                                Number of existing drivers analysed:0
                                                                                Number of injected processes analysed:0
                                                                                Technologies:
                                                                                • HCA enabled
                                                                                • EGA enabled
                                                                                • AMSI enabled
                                                                                Analysis Mode:default
                                                                                Analysis stop reason:Timeout
                                                                                Sample name:PO] G_24370-24396_SI2_S25_8658.exe
                                                                                Detection:MAL
                                                                                Classification:mal100.troj.spyw.evad.winEXE@13/12@1/1
                                                                                EGA Information:
                                                                                • Successful, ratio: 100%
                                                                                HCA Information:
                                                                                • Successful, ratio: 100%
                                                                                • Number of executed functions: 38
                                                                                • Number of non-executed functions: 8
                                                                                Cookbook Comments:
                                                                                • Found application associated with file extension: .exe

                                                                                Warnings

                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                • VT rate limit hit for: PO] G_24370-24396_SI2_S25_8658.exe

                                                                                Simulations

                                                                                Behavior and APIs

                                                                                TimeTypeDescription
                                                                                02:09:03API Interceptor183x Sleep call for process: PO] G_24370-24396_SI2_S25_8658.exe modified
                                                                                02:09:06API Interceptor27x Sleep call for process: powershell.exe modified

                                                                                Joe Sandbox View / Context

                                                                                IPs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                46.175.148.58[PO SHEET]PO24S1458(SEQ 2).exeGet hashmaliciousAgentTeslaBrowse
                                                                                  New Tooling CT240230231CTA240714.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    New Tooling CT240230231CTA240714.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      new order PO 4535005948.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        Purchase order.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          Purchase Order November 2024.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            PO. WW-1580 (DPEBO1-2SDC S25- Nov.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              z14PO31634724MIA0066-0067.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                new order - PO 351081.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                  Bill_Of _Lading.exeGet hashmaliciousAgentTeslaBrowse

                                                                                                    Domains

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    mail.iaa-airferight.com[PO SHEET]PO24S1458(SEQ 2).exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 46.175.148.58
                                                                                                    New Tooling CT240230231CTA240714.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 46.175.148.58
                                                                                                    New Tooling CT240230231CTA240714.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 46.175.148.58
                                                                                                    new order PO 4535005948.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 46.175.148.58
                                                                                                    Purchase order.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 46.175.148.58
                                                                                                    Purchase Order November 2024.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 46.175.148.58
                                                                                                    PO. WW-1580 (DPEBO1-2SDC S25- Nov.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 46.175.148.58
                                                                                                    z14PO31634724MIA0066-0067.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 46.175.148.58
                                                                                                    new order - PO 351081.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 46.175.148.58
                                                                                                    Bill_Of _Lading.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 46.175.148.58

                                                                                                    ASNs

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    ASLAGIDKOM-NETUA[PO SHEET]PO24S1458(SEQ 2).exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 46.175.148.58
                                                                                                    New Tooling CT240230231CTA240714.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 46.175.148.58
                                                                                                    New Tooling CT240230231CTA240714.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 46.175.148.58
                                                                                                    new order PO 4535005948.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 46.175.148.58
                                                                                                    Purchase order.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 46.175.148.58
                                                                                                    Purchase Order November 2024.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 46.175.148.58
                                                                                                    PO. WW-1580 (DPEBO1-2SDC S25- Nov.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 46.175.148.58
                                                                                                    1730880367d56600a7d0ea47c56ed9b8d8deeddf01b8ca4755058c0ee09aab2d2be61d6702838.dat-decoded.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                    • 46.175.146.21
                                                                                                    z14PO31634724MIA0066-0067.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 46.175.148.58
                                                                                                    new order - PO 351081.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 46.175.148.58

                                                                                                    JA3 Fingerprints

                                                                                                    No context

                                                                                                    Dropped Files

                                                                                                    No context

                                                                                                    Created / dropped Files

                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):22364
                                                                                                    Entropy (8bit):5.6123920819467665
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:FKz31JofKdJ2b5LsBMiXJC7Gg7eskzD1vMNWQwiaVjJwBCP9qpZ8mGtn8eeN:wESdwbxsyiXUB7e9GNvfaNJj9mZpGt8l
                                                                                                    MD5:35D8580F29299A44B4AE446AB9A05829
                                                                                                    SHA1:25080C6794723CDBDB8D7DCB192E2FA5C571F3E1
                                                                                                    SHA-256:9BFC16362D776C6923A02124308165070839B02391D11336AFC1C10DEFED2B8C
                                                                                                    SHA-512:69ACF16A83D4A5DA09AD8D1CF4FC9ABF4E1357664784BC01B91A7B5F4BB7A29BEE5C0B1B374D5F7F960D3EA6023E2E4DEAA21F439E6AB1B2ECB685E393286BB5
                                                                                                    Malicious:false
                                                                                                    Reputation:low
                                                                                                    Preview:@...e.....................w.B.8...../.c..............@..........H...............o..b~.D.poM...Q..... .Microsoft.PowerShell.ConsoleHostD...............4..7..D.#V.............System.Management.Automation4...............<."..Ke@...j..........System.Core.0.................Vn.F..kLsw..........System..4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.|.....#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4..................~..2K..}...0".......System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...D....................+.H..!...e........System.Configuration.Ins

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3uf0lb2g.usv.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Reputation:high, very likely benign file
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5k2ngf05.xz2.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bruopfhl.co2.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dbt3um3i.nf4.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gukgzo5h.elo.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m2haumev.525.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sjpy1ipl.oq0.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vleerk1f.2ou.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\tmpE291.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe
                                                                                                    File Type:XML 1.0 document, ASCII text
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1570
                                                                                                    Entropy (8bit):5.1118023477738115
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:2di4+S2qhL1Ly1mYUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt2xvn:cgeLwYrFdOFzOzN33ODOiDdKrsuT6v
                                                                                                    MD5:B89F427DCB6537E5BD7B0D14C0A4EF84
                                                                                                    SHA1:28399349106FF4C573F328E0F17D111CCFDD1D37
                                                                                                    SHA-256:1EB1DF17134763CF06EAC48517729D9F8CF98E114C3AC81F268CA9F3DE8E77D3
                                                                                                    SHA-512:C5EB319C4205E96762B99E6C795598A50D6E0E8CE3EA267F61B3B3B0303EEFE65D8A06F31E851F0E2A394D9B0C61FF2766A159AEFE4E9BC835CE2F212EE82D21
                                                                                                    Malicious:true
                                                                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                                                                                                    C:\Users\user\AppData\Roaming\VxQjXFYhdkY.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):959488
                                                                                                    Entropy (8bit):7.470651221550584
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:drOn+Ri3AgFdmcdsjDbxl7qu4Q0eAxpqz4A501t5z7clqO65SAvzP0zoP7r9r/+l:pQ3AgNubfqK2pqz4/5Kq3Co1q
                                                                                                    MD5:ADC8D552E00251DBBDCD0AAFE5BD3739
                                                                                                    SHA1:BDCCF1531860EA4E5C139864707332252CA6D62B
                                                                                                    SHA-256:0B06F6A3A4102C27376F21CBCD09D3C0BF5E6CC7E92F9B9A3810FC386AC8184D
                                                                                                    SHA-512:4AB5EEE11AEC80B2894D51F1B666461E779A012E5BB94AC536366520C2E3BD9DBD5FE40685BD522697C1DB94CBB19C7612C16E9FDB855EAA35338512EF62E680
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....1=g..............0..N...T......Nm... ........@.. ....................................`..................................l..O........P........................................................................... ............... ..H............text...TM... ...N.................. ..`.rsrc....P.......R...P..............@..@.reloc..............................@..B................0m......H........6...(...........^..H.............................................(......}.....{....r...p .....o5....{....o7...&*....0...........{......o9.....}........&.....*..................0..t........o.....{.....{....r...p(....o:.......+%.....{.....o....o;.....o......&....X....i2..{.....o<.......&.{....o=........*......+..E..........\b......2.{....oA...*n.(......}......}.....(....*....0...........{....o......3...%..;.o......{....o.....s......{.......o....,ir5..p..o......+...(...

                                                                                                    C:\Users\user\AppData\Roaming\VxQjXFYhdkY.exe:Zone.Identifier

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):26
                                                                                                    Entropy (8bit):3.95006375643621
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                    Malicious:true
                                                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                                                    Static File Info

                                                                                                    General

                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Entropy (8bit):7.470651221550584
                                                                                                    TrID:
                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                                                    File name:PO] G_24370-24396_SI2_S25_8658.exe
                                                                                                    File size:959'488 bytes
                                                                                                    MD5:adc8d552e00251dbbdcd0aafe5bd3739
                                                                                                    SHA1:bdccf1531860ea4e5c139864707332252ca6d62b
                                                                                                    SHA256:0b06f6a3a4102c27376f21cbcd09d3c0bf5e6cc7e92f9b9a3810fc386ac8184d
                                                                                                    SHA512:4ab5eee11aec80b2894d51f1b666461e779a012e5bb94ac536366520c2e3bd9dbd5fe40685bd522697c1db94cbb19c7612c16e9fdb855eaa35338512ef62e680
                                                                                                    SSDEEP:12288:drOn+Ri3AgFdmcdsjDbxl7qu4Q0eAxpqz4A501t5z7clqO65SAvzP0zoP7r9r/+l:pQ3AgNubfqK2pqz4/5Kq3Co1q
                                                                                                    TLSH:3B15DFC5E98455A0DC19AB71AA37CD3542237DFDA834952C29CE3E2B3FFB3936025462
                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....1=g..............0..N...T......Nm... ........@.. ....................................`................................

                                                                                                    File Icon

                                                                                                    Icon Hash:c5a484988c94a04b

                                                                                                    Static PE Info

                                                                                                    General

                                                                                                    Entrypoint:0x4b6d4e
                                                                                                    Entrypoint Section:.text
                                                                                                    Digitally signed:false
                                                                                                    Imagebase:0x400000
                                                                                                    Subsystem:windows gui
                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                    Time Stamp:0x673D3196 [Wed Nov 20 00:47:18 2024 UTC]
                                                                                                    TLS Callbacks:
                                                                                                    CLR (.Net) Version:
                                                                                                    OS Version Major:4
                                                                                                    OS Version Minor:0
                                                                                                    File Version Major:4
                                                                                                    File Version Minor:0
                                                                                                    Subsystem Version Major:4
                                                                                                    Subsystem Version Minor:0
                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                    Entrypoint Preview

                                                                                                    Instruction
                                                                                                    jmp dword ptr [00402000h]
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al

                                                                                                    Data Directories

                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xb6cfc0x4f.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xb80000x35010.rsrc
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xee0000xc.reloc
                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                    Sections

                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                    .text0x20000xb4d540xb4e0078de7e697208fe6e1a5f6496cdc47dd1False0.9590937068071873data7.933918976784444IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                    .rsrc0xb80000x350100x35200c58cf3e5674fa09196f29e43410df31dFalse0.20978400735294117data4.45628723918486IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                    .reloc0xee0000xc0x200955b90efba5ef4660127dbf0044d3a99False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                    Resources

                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                    RT_ICON0xb84900x668Device independent bitmap graphic, 48 x 96 x 4, image size 11520.3225609756097561
                                                                                                    RT_ICON0xb8af80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.43951612903225806
                                                                                                    RT_ICON0xb8de00x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 2880.4016393442622951
                                                                                                    RT_ICON0xb8fc80x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.4831081081081081
                                                                                                    RT_ICON0xb90f00x35e0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9907192575406032
                                                                                                    RT_ICON0xbc6d00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.4584221748400853
                                                                                                    RT_ICON0xbd5780x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.47382671480144406
                                                                                                    RT_ICON0xbde200x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.45564516129032256
                                                                                                    RT_ICON0xbe4e80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.3504335260115607
                                                                                                    RT_ICON0xbea500x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.07868508221933042
                                                                                                    RT_ICON0xcf2780x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.15114568005045195
                                                                                                    RT_ICON0xd87200x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 265600.1543233082706767
                                                                                                    RT_ICON0xdef080x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.175184842883549
                                                                                                    RT_ICON0xe43900x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.15948275862068967
                                                                                                    RT_ICON0xe85b80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.24107883817427386
                                                                                                    RT_ICON0xeab600x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.2678236397748593
                                                                                                    RT_ICON0xebc080x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.37459016393442623
                                                                                                    RT_ICON0xec5900x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.42819148936170215
                                                                                                    RT_GROUP_ICON0xec9f80x102data0.5775193798449613
                                                                                                    RT_GROUP_ICON0xecafc0x14data1.05
                                                                                                    RT_VERSION0xecb100x314data0.43274111675126903
                                                                                                    RT_MANIFEST0xece240x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                    Imports

                                                                                                    DLLImport
                                                                                                    mscoree.dll_CorExeMain

                                                                                                    Network Behavior

                                                                                                    Network Port Distribution

                                                                                                    TCP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Nov 20, 2024 08:09:08.165489912 CET4970525192.168.2.1646.175.148.58
                                                                                                    Nov 20, 2024 08:09:09.166383028 CET4970525192.168.2.1646.175.148.58
                                                                                                    Nov 20, 2024 08:09:11.179394960 CET4970525192.168.2.1646.175.148.58
                                                                                                    Nov 20, 2024 08:09:15.191396952 CET4970525192.168.2.1646.175.148.58
                                                                                                    Nov 20, 2024 08:09:23.199424982 CET4970525192.168.2.1646.175.148.58

                                                                                                    UDP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Nov 20, 2024 08:09:08.139853954 CET5931553192.168.2.161.1.1.1
                                                                                                    Nov 20, 2024 08:09:08.152579069 CET53593151.1.1.1192.168.2.16

                                                                                                    DNS Queries

                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                    Nov 20, 2024 08:09:08.139853954 CET192.168.2.161.1.1.10x7adaStandard query (0)mail.iaa-airferight.comA (IP address)IN (0x0001)false

                                                                                                    DNS Answers

                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                    Nov 20, 2024 08:09:08.152579069 CET1.1.1.1192.168.2.160x7adaNo error (0)mail.iaa-airferight.com46.175.148.58A (IP address)IN (0x0001)false

                                                                                                    Statistics

                                                                                                    CPU Usage

                                                                                                    Click to jump to process

                                                                                                    Memory Usage

                                                                                                    Click to jump to process

                                                                                                    High Level Behavior Distribution

                                                                                                    Click to dive into process behavior distribution

                                                                                                    Behavior

                                                                                                    Click to jump to process

                                                                                                    System Behavior

                                                                                                    General

                                                                                                    Target ID:0
                                                                                                    Start time:02:09:02
                                                                                                    Start date:20/11/2024
                                                                                                    Path:C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe"
                                                                                                    Imagebase:0xd40000
                                                                                                    File size:959'488 bytes
                                                                                                    MD5 hash:ADC8D552E00251DBBDCD0AAFE5BD3739
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1274541036.0000000004271000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1274541036.0000000004271000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    Reputation:low
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:2
                                                                                                    Start time:02:09:04
                                                                                                    Start date:20/11/2024
                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe"
                                                                                                    Imagebase:0x2f0000
                                                                                                    File size:433'152 bytes
                                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:3
                                                                                                    Start time:02:09:04
                                                                                                    Start date:20/11/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:4
                                                                                                    Start time:02:09:04
                                                                                                    Start date:20/11/2024
                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VxQjXFYhdkY.exe"
                                                                                                    Imagebase:0x2f0000
                                                                                                    File size:433'152 bytes
                                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:5
                                                                                                    Start time:02:09:04
                                                                                                    Start date:20/11/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:6
                                                                                                    Start time:02:09:04
                                                                                                    Start date:20/11/2024
                                                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VxQjXFYhdkY" /XML "C:\Users\user\AppData\Local\Temp\tmpE291.tmp"
                                                                                                    Imagebase:0x340000
                                                                                                    File size:187'904 bytes
                                                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:7
                                                                                                    Start time:02:09:04
                                                                                                    Start date:20/11/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:8
                                                                                                    Start time:02:09:05
                                                                                                    Start date:20/11/2024
                                                                                                    Path:C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Users\user\Desktop\PO] G_24370-24396_SI2_S25_8658.exe"
                                                                                                    Imagebase:0xfb0000
                                                                                                    File size:959'488 bytes
                                                                                                    MD5 hash:ADC8D552E00251DBBDCD0AAFE5BD3739
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2477991883.000000000342E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2475525442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2475525442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2477991883.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2477991883.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    Reputation:low
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:13
                                                                                                    Start time:02:09:07
                                                                                                    Start date:20/11/2024
                                                                                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                    Imagebase:0x7ff6899f0000
                                                                                                    File size:496'640 bytes
                                                                                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    Disassembly

                                                                                                    Reset < >

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:11.1%
                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                      Signature Coverage:0%
                                                                                                      Total number of Nodes:162
                                                                                                      Total number of Limit Nodes:11
                                                                                                      execution_graph 23362 7ca847b 23363 7ca83d1 23362->23363 23364 7ca85c9 23363->23364 23365 7caadf1 9 API calls 23363->23365 23365->23363 23154 7cabf88 23155 7cac113 23154->23155 23156 7cabfae 23154->23156 23156->23155 23158 7ca4a10 23156->23158 23159 7cac208 PostMessageW 23158->23159 23160 7cac274 23159->23160 23160->23156 23161 18b4668 23162 18b4672 23161->23162 23166 18b4758 23161->23166 23171 18b3e28 23162->23171 23164 18b468d 23167 18b477d 23166->23167 23175 18b4858 23167->23175 23179 18b4868 23167->23179 23172 18b3e33 23171->23172 23187 18b5c24 23172->23187 23174 18b6faf 23174->23164 23176 18b4868 23175->23176 23177 18b496c 23176->23177 23183 18b44b0 23176->23183 23177->23177 23180 18b488f 23179->23180 23181 18b44b0 CreateActCtxA 23180->23181 23182 18b496c 23180->23182 23181->23182 23184 18b58f8 CreateActCtxA 23183->23184 23186 18b59bb 23184->23186 23188 18b5c2f 23187->23188 23191 18b5c44 23188->23191 23190 18b7055 23190->23174 23192 18b5c4f 23191->23192 23195 18b5c74 23192->23195 23194 18b713a 23194->23190 23196 18b5c7f 23195->23196 23199 18b5ca4 23196->23199 23198 18b722d 23198->23194 23200 18b5caf 23199->23200 23202 18b852b 23200->23202 23205 18babdb 23200->23205 23201 18b8569 23201->23198 23202->23201 23209 18bccdc 23202->23209 23213 18babff 23205->23213 23217 18bac10 23205->23217 23206 18babee 23206->23202 23210 18bccf9 23209->23210 23211 18bcd1d 23210->23211 23225 18bce88 23210->23225 23211->23201 23214 18bac10 23213->23214 23220 18bad08 23214->23220 23215 18bac1f 23215->23206 23219 18bad08 GetModuleHandleW 23217->23219 23218 18bac1f 23218->23206 23219->23218 23221 18bad3c 23220->23221 23222 18bad19 23220->23222 23221->23215 23222->23221 23223 18baf40 GetModuleHandleW 23222->23223 23224 18baf6d 23223->23224 23224->23215 23226 18bce95 23225->23226 23227 18bcecf 23226->23227 23229 18bba40 23226->23229 23227->23211 23230 18bba4b 23229->23230 23231 18bdbe8 23230->23231 23233 18bd23c 23230->23233 23234 18bd247 23233->23234 23235 18b5ca4 GetModuleHandleW 23234->23235 23236 18bdc57 23235->23236 23236->23231 23237 7ca84ee 23238 7ca83d1 23237->23238 23239 7ca85c9 23238->23239 23241 7caadf1 23238->23241 23242 7caae0a 23241->23242 23243 7caae12 23242->23243 23257 7cab869 23242->23257 23261 7cab715 23242->23261 23265 7cab456 23242->23265 23268 7cab210 23242->23268 23273 7cab8bd 23242->23273 23276 7cab4bc 23242->23276 23280 7cab37e 23242->23280 23286 7cab3d9 23242->23286 23294 7cabb78 23242->23294 23297 7cab51b 23242->23297 23302 7cab29b 23242->23302 23307 7cab446 23242->23307 23312 7cab361 23242->23312 23243->23238 23258 7cab872 23257->23258 23316 7ca7d38 23258->23316 23262 7cab71b 23261->23262 23320 7ca7ba0 23262->23320 23266 7cab478 23265->23266 23324 7ca7e28 23266->23324 23269 7cab21a 23268->23269 23270 7cab2d9 23269->23270 23328 7ca7fbd 23269->23328 23332 7ca7fc0 23269->23332 23270->23243 23270->23270 23274 7cab8cf 23273->23274 23275 7ca7e28 ReadProcessMemory 23274->23275 23275->23274 23277 7cab4cc 23276->23277 23279 7ca7d38 WriteProcessMemory 23277->23279 23278 7cabc03 23279->23278 23281 7cab398 23280->23281 23282 7cab7de 23281->23282 23336 7ca7ae8 23281->23336 23340 7ca7af0 23281->23340 23282->23243 23283 7cab547 23287 7cab71c 23286->23287 23289 7cab478 23286->23289 23288 7cab726 23287->23288 23287->23289 23292 7ca7ba0 Wow64SetThreadContext 23288->23292 23291 7cabbbb 23289->23291 23293 7ca7e28 ReadProcessMemory 23289->23293 23290 7cab84d 23292->23290 23293->23289 23296 7ca7ba0 Wow64SetThreadContext 23294->23296 23295 7cabb92 23296->23295 23298 7cab521 23297->23298 23300 7ca7ae8 ResumeThread 23298->23300 23301 7ca7af0 ResumeThread 23298->23301 23299 7cab547 23300->23299 23301->23299 23303 7cab2a8 23302->23303 23305 7ca7fbd CreateProcessA 23303->23305 23306 7ca7fc0 CreateProcessA 23303->23306 23304 7cab2d9 23304->23243 23304->23304 23305->23304 23306->23304 23308 7cabc28 23307->23308 23344 7ca7c78 23308->23344 23348 7ca7c70 23308->23348 23309 7cabb61 23309->23243 23313 7cab377 23312->23313 23315 7ca7d38 WriteProcessMemory 23313->23315 23314 7cab301 23314->23243 23315->23314 23317 7ca7d80 WriteProcessMemory 23316->23317 23319 7ca7dd7 23317->23319 23321 7ca7be5 Wow64SetThreadContext 23320->23321 23323 7ca7c2d 23321->23323 23325 7ca7e73 ReadProcessMemory 23324->23325 23327 7ca7eb7 23325->23327 23327->23266 23329 7ca7fc0 23328->23329 23329->23329 23330 7ca81ae CreateProcessA 23329->23330 23331 7ca820b 23330->23331 23331->23331 23333 7ca8049 23332->23333 23333->23333 23334 7ca81ae CreateProcessA 23333->23334 23335 7ca820b 23334->23335 23335->23335 23337 7ca7af0 ResumeThread 23336->23337 23339 7ca7b61 23337->23339 23339->23283 23341 7ca7b30 ResumeThread 23340->23341 23343 7ca7b61 23341->23343 23343->23283 23345 7ca7cb8 VirtualAllocEx 23344->23345 23347 7ca7cf5 23345->23347 23347->23309 23349 7ca7c78 VirtualAllocEx 23348->23349 23351 7ca7cf5 23349->23351 23351->23309 23352 18bcfa0 23353 18bcfa5 GetCurrentProcess 23352->23353 23355 18bd038 GetCurrentThread 23353->23355 23356 18bd031 23353->23356 23357 18bd06e 23355->23357 23358 18bd075 GetCurrentProcess 23355->23358 23356->23355 23357->23358 23361 18bd0ab 23358->23361 23359 18bd0d3 GetCurrentThreadId 23360 18bd104 23359->23360 23361->23359 23370 18bd5f0 23371 18bd5f5 DuplicateHandle 23370->23371 23372 18bd686 23371->23372

                                                                                                      Executed Functions

                                                                                                      Function 07CACF19 Relevance: .4, Instructions: 403COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1278021954.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ca0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 3d2a8ca631d2c3967756af12f83245a9c791f9df2b4bcaca6a43cb6efdb1b649
                                                                                                      • Instruction ID: 969a4f30944cc59154eab1949037afa8705415df8de0b5534df1e180e50691e2
                                                                                                      • Opcode Fuzzy Hash: 3d2a8ca631d2c3967756af12f83245a9c791f9df2b4bcaca6a43cb6efdb1b649
                                                                                                      • Instruction Fuzzy Hash: 10E1EDB0B01206AFDB29DB79C490BAEB7F6AF89305F10446DD146DB794CB34EA01CB52
                                                                                                      Function 07CA2320 Relevance: .1, Instructions: 60COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1278021954.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ca0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c6cd5fba65cccfc6268a281f0aec18c236b239c38a220a79bd9b099831979c39
                                                                                                      • Instruction ID: 5d6ae9a43b3d5158272324ff4092ebd0d58f000b7725f65b3dfb5f6578c81b54
                                                                                                      • Opcode Fuzzy Hash: c6cd5fba65cccfc6268a281f0aec18c236b239c38a220a79bd9b099831979c39
                                                                                                      • Instruction Fuzzy Hash: 6C21E3B0D046199BEB18CFABC9557EEFBF6BFC9304F04C46AD409A6254DB7409468FA0
                                                                                                      Function 07CAB5E9 Relevance: .0, Instructions: 23COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1278021954.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ca0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 7d603613a6453ffbe038677f3768bcd2d5877600cb53af9e77dc62eaf8b4fb2f
                                                                                                      • Instruction ID: cbb0fd4c687194e26a61fbb8c01cbff6264bfa2a8fae9c5d147f2c497fd6c4fb
                                                                                                      • Opcode Fuzzy Hash: 7d603613a6453ffbe038677f3768bcd2d5877600cb53af9e77dc62eaf8b4fb2f
                                                                                                      • Instruction Fuzzy Hash: 77E04FF486E24FEBC701DF26D4805B9BBB8AB0B219F002395C41AA7292D7309C44CB05
                                                                                                      Function 07CAB69E Relevance: .0, Instructions: 21COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1278021954.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ca0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 2c950de49daea967cd2f8a5db216e68b0cf170df4212bf9d7ca6314259efd8c6
                                                                                                      • Instruction ID: f5508053b449749829f331237e18d63d9d0d10babe1e4048bdcba2694c69af33
                                                                                                      • Opcode Fuzzy Hash: 2c950de49daea967cd2f8a5db216e68b0cf170df4212bf9d7ca6314259efd8c6
                                                                                                      • Instruction Fuzzy Hash: 3AE0ECF485D249EBD701DF65D8815FDBBB8AB0F309F012195C00AA7252D6309D84CB05
                                                                                                      Function 018BCF90 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 018BD01E
                                                                                                      • GetCurrentThread.KERNEL32 ref: 018BD05B
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 018BD098
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 018BD0F1
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1273520044.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_18b0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Current$ProcessThread
                                                                                                      • String ID:
                                                                                                      • API String ID: 2063062207-0
                                                                                                      • Opcode ID: f92ee1fff7fd2db3d8a4f8348984784a968e6a90a705a93c9c6c53fe9cf6a144
                                                                                                      • Instruction ID: 1ad680e78fa64663a0e8d21b764a85a4ddfab921458e4d585036e73547ba5d97
                                                                                                      • Opcode Fuzzy Hash: f92ee1fff7fd2db3d8a4f8348984784a968e6a90a705a93c9c6c53fe9cf6a144
                                                                                                      • Instruction Fuzzy Hash: 3A51A6B49007499FDB28DFAAD588BDEBBF0FF48304F208559D408A7360D735A985CB66
                                                                                                      Function 018BCFA0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 018BD01E
                                                                                                      • GetCurrentThread.KERNEL32 ref: 018BD05B
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 018BD098
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 018BD0F1
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1273520044.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_18b0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Current$ProcessThread
                                                                                                      • String ID:
                                                                                                      • API String ID: 2063062207-0
                                                                                                      • Opcode ID: ee7560d8e46dc7eb34cd96af114a98b0d6bbbf45d52564d6731e92f805dfe9ae
                                                                                                      • Instruction ID: 59a2b2b9fbb65197ea025c5b8fa0cd05ff9bd6cdd5fb492fe78a58c0154a2e38
                                                                                                      • Opcode Fuzzy Hash: ee7560d8e46dc7eb34cd96af114a98b0d6bbbf45d52564d6731e92f805dfe9ae
                                                                                                      • Instruction Fuzzy Hash: 925195B49007499FDB28DFAAD588BDEBBF0FB48304F208559D408A7360D7359985CB66
                                                                                                      Function 07CA7FBD Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 47 7ca7fbd-7ca8055 50 7ca808e-7ca80ae 47->50 51 7ca8057-7ca8061 47->51 58 7ca80b0-7ca80ba 50->58 59 7ca80e7-7ca8116 50->59 51->50 52 7ca8063-7ca8065 51->52 53 7ca8088-7ca808b 52->53 54 7ca8067-7ca8071 52->54 53->50 56 7ca8073 54->56 57 7ca8075-7ca8084 54->57 56->57 57->57 61 7ca8086 57->61 58->59 60 7ca80bc-7ca80be 58->60 67 7ca8118-7ca8122 59->67 68 7ca814f-7ca8209 CreateProcessA 59->68 62 7ca80c0-7ca80ca 60->62 63 7ca80e1-7ca80e4 60->63 61->53 65 7ca80ce-7ca80dd 62->65 66 7ca80cc 62->66 63->59 65->65 69 7ca80df 65->69 66->65 67->68 70 7ca8124-7ca8126 67->70 79 7ca820b-7ca8211 68->79 80 7ca8212-7ca8298 68->80 69->63 72 7ca8128-7ca8132 70->72 73 7ca8149-7ca814c 70->73 74 7ca8136-7ca8145 72->74 75 7ca8134 72->75 73->68 74->74 77 7ca8147 74->77 75->74 77->73 79->80 90 7ca829a-7ca829e 80->90 91 7ca82a8-7ca82ac 80->91 90->91 92 7ca82a0 90->92 93 7ca82ae-7ca82b2 91->93 94 7ca82bc-7ca82c0 91->94 92->91 93->94 97 7ca82b4 93->97 95 7ca82c2-7ca82c6 94->95 96 7ca82d0-7ca82d4 94->96 95->96 98 7ca82c8 95->98 99 7ca82e6-7ca82ed 96->99 100 7ca82d6-7ca82dc 96->100 97->94 98->96 101 7ca82ef-7ca82fe 99->101 102 7ca8304 99->102 100->99 101->102 104 7ca8305 102->104 104->104
                                                                                                      APIs
                                                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07CA81F6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1278021954.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ca0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateProcess
                                                                                                      • String ID:
                                                                                                      • API String ID: 963392458-0
                                                                                                      • Opcode ID: fcdfcaf0415ce0ad5978579f7e51774b7fe1ab0f235f4cd411d8df46ac0f05a7
                                                                                                      • Instruction ID: 7d764a7a421a7a43735437f9358def20b82624cddd9c089c19e547aabc8a5f31
                                                                                                      • Opcode Fuzzy Hash: fcdfcaf0415ce0ad5978579f7e51774b7fe1ab0f235f4cd411d8df46ac0f05a7
                                                                                                      • Instruction Fuzzy Hash: 0B915DB1D0071A9FEB25CF68C8847EDBBF2BF48315F148169E808A7240DB759A85CF91
                                                                                                      Function 07CA7FC0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 105 7ca7fc0-7ca8055 107 7ca808e-7ca80ae 105->107 108 7ca8057-7ca8061 105->108 115 7ca80b0-7ca80ba 107->115 116 7ca80e7-7ca8116 107->116 108->107 109 7ca8063-7ca8065 108->109 110 7ca8088-7ca808b 109->110 111 7ca8067-7ca8071 109->111 110->107 113 7ca8073 111->113 114 7ca8075-7ca8084 111->114 113->114 114->114 118 7ca8086 114->118 115->116 117 7ca80bc-7ca80be 115->117 124 7ca8118-7ca8122 116->124 125 7ca814f-7ca8209 CreateProcessA 116->125 119 7ca80c0-7ca80ca 117->119 120 7ca80e1-7ca80e4 117->120 118->110 122 7ca80ce-7ca80dd 119->122 123 7ca80cc 119->123 120->116 122->122 126 7ca80df 122->126 123->122 124->125 127 7ca8124-7ca8126 124->127 136 7ca820b-7ca8211 125->136 137 7ca8212-7ca8298 125->137 126->120 129 7ca8128-7ca8132 127->129 130 7ca8149-7ca814c 127->130 131 7ca8136-7ca8145 129->131 132 7ca8134 129->132 130->125 131->131 134 7ca8147 131->134 132->131 134->130 136->137 147 7ca829a-7ca829e 137->147 148 7ca82a8-7ca82ac 137->148 147->148 149 7ca82a0 147->149 150 7ca82ae-7ca82b2 148->150 151 7ca82bc-7ca82c0 148->151 149->148 150->151 154 7ca82b4 150->154 152 7ca82c2-7ca82c6 151->152 153 7ca82d0-7ca82d4 151->153 152->153 155 7ca82c8 152->155 156 7ca82e6-7ca82ed 153->156 157 7ca82d6-7ca82dc 153->157 154->151 155->153 158 7ca82ef-7ca82fe 156->158 159 7ca8304 156->159 157->156 158->159 161 7ca8305 159->161 161->161
                                                                                                      APIs
                                                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07CA81F6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1278021954.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ca0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateProcess
                                                                                                      • String ID:
                                                                                                      • API String ID: 963392458-0
                                                                                                      • Opcode ID: fdef4ce6d9ca44221eefa767ff9a8a5270191719db375321e3cdcd05ae494f9e
                                                                                                      • Instruction ID: 470d4e88411039538faf02a1b9131610bdb2837c44a48efb72e5ef704ff6222a
                                                                                                      • Opcode Fuzzy Hash: fdef4ce6d9ca44221eefa767ff9a8a5270191719db375321e3cdcd05ae494f9e
                                                                                                      • Instruction Fuzzy Hash: 7C915DB1D0071A9FEB25CF68C8807EDBBF2BF44315F148169E808A7240DB759A85CF91
                                                                                                      Function 018BAD08 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 162 18bad08-18bad17 163 18bad19-18bad26 call 18ba02c 162->163 164 18bad43-18bad47 162->164 169 18bad28 163->169 170 18bad3c 163->170 165 18bad5b-18bad9c 164->165 166 18bad49-18bad53 164->166 173 18bada9-18badb7 165->173 174 18bad9e-18bada6 165->174 166->165 219 18bad2e call 18baf90 169->219 220 18bad2e call 18bafa0 169->220 170->164 176 18baddb-18baddd 173->176 177 18badb9-18badbe 173->177 174->173 175 18bad34-18bad36 175->170 180 18bae78-18baef6 175->180 181 18bade0-18bade7 176->181 178 18badc9 177->178 179 18badc0-18badc7 call 18ba038 177->179 183 18badcb-18badd9 178->183 179->183 212 18baef8-18baefc 180->212 213 18baefd-18baf38 180->213 184 18bade9-18badf1 181->184 185 18badf4-18badfb 181->185 183->181 184->185 187 18bae08-18bae11 call 18ba048 185->187 188 18badfd-18bae05 185->188 193 18bae1e-18bae23 187->193 194 18bae13-18bae1b 187->194 188->187 196 18bae41-18bae45 193->196 197 18bae25-18bae2c 193->197 194->193 221 18bae48 call 18bb290 196->221 222 18bae48 call 18bb2a0 196->222 197->196 198 18bae2e-18bae3e call 18ba058 call 18ba068 197->198 198->196 201 18bae4b-18bae4e 203 18bae71-18bae77 201->203 204 18bae50-18bae6e 201->204 204->203 212->213 214 18baf3a-18baf3d 213->214 215 18baf40-18baf6b GetModuleHandleW 213->215 214->215 216 18baf6d-18baf73 215->216 217 18baf74-18baf88 215->217 216->217 219->175 220->175 221->201 222->201
                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 018BAF5E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1273520044.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_18b0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleModule
                                                                                                      • String ID:
                                                                                                      • API String ID: 4139908857-0
                                                                                                      • Opcode ID: 4b1fc9677edfd6546bd4f58be940dca92c624c3e40379b2817aa0a8677b587b0
                                                                                                      • Instruction ID: 4c419197b6a375bcaa012809fba8bc5f0a9af6675c39c7d82e12995f41fb4af5
                                                                                                      • Opcode Fuzzy Hash: 4b1fc9677edfd6546bd4f58be940dca92c624c3e40379b2817aa0a8677b587b0
                                                                                                      • Instruction Fuzzy Hash: 31712470A00B058FE729DF29D48479ABBF5FB88304F048A2DD44AD7B50D735EA49CB91
                                                                                                      Function 018B58EC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 223 18b58ec-18b58f4 224 18b58fc-18b59b9 CreateActCtxA 223->224 226 18b59bb-18b59c1 224->226 227 18b59c2-18b5a1c 224->227 226->227 234 18b5a2b-18b5a2f 227->234 235 18b5a1e-18b5a21 227->235 236 18b5a31-18b5a3d 234->236 237 18b5a40 234->237 235->234 236->237 238 18b5a41 237->238 238->238
                                                                                                      APIs
                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 018B59A9
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1273520044.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_18b0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Create
                                                                                                      • String ID:
                                                                                                      • API String ID: 2289755597-0
                                                                                                      • Opcode ID: e3a1b937743aa29705fcad1e4f4a3cd16febe1cc265480b28431f81fe1d938a3
                                                                                                      • Instruction ID: 421f1ec59e7b18b5c8a0a43fb29bcc1a014ca59d512bbd2d2ddc76bac80d524f
                                                                                                      • Opcode Fuzzy Hash: e3a1b937743aa29705fcad1e4f4a3cd16febe1cc265480b28431f81fe1d938a3
                                                                                                      • Instruction Fuzzy Hash: AC41BFB1D00719CFDB24DFAAC884BCDBBB1BF49304F24815AD418AB251DB756A46CF90
                                                                                                      Function 018B44B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 240 18b44b0-18b59b9 CreateActCtxA 243 18b59bb-18b59c1 240->243 244 18b59c2-18b5a1c 240->244 243->244 251 18b5a2b-18b5a2f 244->251 252 18b5a1e-18b5a21 244->252 253 18b5a31-18b5a3d 251->253 254 18b5a40 251->254 252->251 253->254 255 18b5a41 254->255 255->255
                                                                                                      APIs
                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 018B59A9
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1273520044.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_18b0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Create
                                                                                                      • String ID:
                                                                                                      • API String ID: 2289755597-0
                                                                                                      • Opcode ID: 23f7c58dfb9b3cf718930ef9ea64894a7d73d8fa0674419ead8438c2a969fea3
                                                                                                      • Instruction ID: 1b0a7bb74f3ab1ff4c731d4a88141667778b4c223ba94b76c6c0d7d8b79c332f
                                                                                                      • Opcode Fuzzy Hash: 23f7c58dfb9b3cf718930ef9ea64894a7d73d8fa0674419ead8438c2a969fea3
                                                                                                      • Instruction Fuzzy Hash: D441B170C00719CFDB24DFAAC884BDDBBB5BF49704F50816AD418AB251DB756945CF90
                                                                                                      Function 07CA7D38 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 257 7ca7d38-7ca7d86 259 7ca7d88-7ca7d94 257->259 260 7ca7d96-7ca7dd5 WriteProcessMemory 257->260 259->260 262 7ca7dde-7ca7e0e 260->262 263 7ca7dd7-7ca7ddd 260->263 263->262
                                                                                                      APIs
                                                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07CA7DC8
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1278021954.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ca0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MemoryProcessWrite
                                                                                                      • String ID:
                                                                                                      • API String ID: 3559483778-0
                                                                                                      • Opcode ID: 13b95ee386c557f7625c3fa6fc48c5559cb601b5331f66b492ae10e28a39ff03
                                                                                                      • Instruction ID: 7743651172541002c0dfc8c7e1abaf6922aa4574bcdbda4951cf193c3019953e
                                                                                                      • Opcode Fuzzy Hash: 13b95ee386c557f7625c3fa6fc48c5559cb601b5331f66b492ae10e28a39ff03
                                                                                                      • Instruction Fuzzy Hash: 2B212CB5D003499FDB10CFA9C884BEEBBF5FF48314F10842AE518A7240D7799544CB64
                                                                                                      Function 018BD5E9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 267 18bd5e9-18bd5ee 268 18bd5f0-18bd5f4 267->268 269 18bd5f5-18bd684 DuplicateHandle 267->269 268->269 270 18bd68d-18bd6aa 269->270 271 18bd686-18bd68c 269->271 271->270
                                                                                                      APIs
                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 018BD677
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1273520044.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_18b0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DuplicateHandle
                                                                                                      • String ID:
                                                                                                      • API String ID: 3793708945-0
                                                                                                      • Opcode ID: 48b84e787f172a1b1f4a0ec54dd6759f60577ab5ec542ee98d5eb2e1fb6712a4
                                                                                                      • Instruction ID: 162e65ce229e2c6e55598d4e0fc13c6845d3c178ad15d3f848e71e01d3b9f250
                                                                                                      • Opcode Fuzzy Hash: 48b84e787f172a1b1f4a0ec54dd6759f60577ab5ec542ee98d5eb2e1fb6712a4
                                                                                                      • Instruction Fuzzy Hash: 722114B5900249AFDB10CFAAD484ADEBFF4EB48314F14851AE918A7310D379AA40CFA4
                                                                                                      Function 07CA7E28 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 284 7ca7e28-7ca7eb5 ReadProcessMemory 287 7ca7ebe-7ca7eee 284->287 288 7ca7eb7-7ca7ebd 284->288 288->287
                                                                                                      APIs
                                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07CA7EA8
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1278021954.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ca0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MemoryProcessRead
                                                                                                      • String ID:
                                                                                                      • API String ID: 1726664587-0
                                                                                                      • Opcode ID: bcba64474b84466c23fb090d7ec9976b793e218714876d233c8b237218e61b3a
                                                                                                      • Instruction ID: 2b73e979cc86744d75084fa75e2e6defa96cca3fe91714f83b924d1dbcc63ef0
                                                                                                      • Opcode Fuzzy Hash: bcba64474b84466c23fb090d7ec9976b793e218714876d233c8b237218e61b3a
                                                                                                      • Instruction Fuzzy Hash: F42128B1C003499FDB10DFAAC884BDEBBF5FF48310F50842AE518A7250D7399945CBA4
                                                                                                      Function 07CA7BA0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 274 7ca7ba0-7ca7beb 276 7ca7bfb-7ca7c2b Wow64SetThreadContext 274->276 277 7ca7bed-7ca7bf9 274->277 279 7ca7c2d-7ca7c33 276->279 280 7ca7c34-7ca7c64 276->280 277->276 279->280
                                                                                                      APIs
                                                                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07CA7C1E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1278021954.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ca0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ContextThreadWow64
                                                                                                      • String ID:
                                                                                                      • API String ID: 983334009-0
                                                                                                      • Opcode ID: 9e9ac8fee5c52bfc541778a2ab30c3f0e0f92432662ebac0f4c557049b27d0b5
                                                                                                      • Instruction ID: ba4ece5be147949c029ee2fe01027d44c01190f3ae5a27407ddd6f757d0ac4c8
                                                                                                      • Opcode Fuzzy Hash: 9e9ac8fee5c52bfc541778a2ab30c3f0e0f92432662ebac0f4c557049b27d0b5
                                                                                                      • Instruction Fuzzy Hash: 3C2135B1D003499FDB14DFAAC4847AEBBF4EF48224F14842AD419A7240DB78AA45CFA4
                                                                                                      Function 018BD5F0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 292 18bd5f0-18bd684 DuplicateHandle 294 18bd68d-18bd6aa 292->294 295 18bd686-18bd68c 292->295 295->294
                                                                                                      APIs
                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 018BD677
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1273520044.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_18b0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DuplicateHandle
                                                                                                      • String ID:
                                                                                                      • API String ID: 3793708945-0
                                                                                                      • Opcode ID: 4ceadac4c187775a063972ab60577257c40b6bf0bd8d2e87536891ec76ab6df1
                                                                                                      • Instruction ID: 1919455cf86246b75a5a421856776cbc5d0f1a501aa92de3512a6c1f6492cdb0
                                                                                                      • Opcode Fuzzy Hash: 4ceadac4c187775a063972ab60577257c40b6bf0bd8d2e87536891ec76ab6df1
                                                                                                      • Instruction Fuzzy Hash: 9D21E4B5900249AFDB10CFAAD484ADEBBF4EB48310F14851AE918A7350D379A944CFA4
                                                                                                      Function 07CA7C70 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 298 7ca7c70-7ca7cf3 VirtualAllocEx 302 7ca7cfc-7ca7d21 298->302 303 7ca7cf5-7ca7cfb 298->303 303->302
                                                                                                      APIs
                                                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07CA7CE6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1278021954.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ca0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AllocVirtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 4275171209-0
                                                                                                      • Opcode ID: c16bacb29efd760fb4cfffc0703b3d57cd410c318e45d5c06d783abceed09a81
                                                                                                      • Instruction ID: 140afa3b0a2fef018d02ce13e1d77f5da04bdfdba9ccdb194c21f91822a7415e
                                                                                                      • Opcode Fuzzy Hash: c16bacb29efd760fb4cfffc0703b3d57cd410c318e45d5c06d783abceed09a81
                                                                                                      • Instruction Fuzzy Hash: AF116AB69003499FDB24DFAAC844BDFBBF5EF48324F14881AE515A7250C739A940CFA4
                                                                                                      Function 07CA7C78 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 307 7ca7c78-7ca7cf3 VirtualAllocEx 310 7ca7cfc-7ca7d21 307->310 311 7ca7cf5-7ca7cfb 307->311 311->310
                                                                                                      APIs
                                                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07CA7CE6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1278021954.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ca0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AllocVirtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 4275171209-0
                                                                                                      • Opcode ID: 452f24deca9b03c03147ecf92b41decb3ae81a093c14138227a2d3065790e5b5
                                                                                                      • Instruction ID: 06726d432953a7f86e2c1463a0c337d749725728a3f6212ce5a4414e166d2ad5
                                                                                                      • Opcode Fuzzy Hash: 452f24deca9b03c03147ecf92b41decb3ae81a093c14138227a2d3065790e5b5
                                                                                                      • Instruction Fuzzy Hash: 67116A769003499FDB24DFAAC844BDFBBF5EF48314F14881AD515A7250C739A540CFA4
                                                                                                      Function 07CA7AE8 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 315 7ca7ae8-7ca7b5f ResumeThread 319 7ca7b68-7ca7b8d 315->319 320 7ca7b61-7ca7b67 315->320 320->319
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1278021954.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ca0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ResumeThread
                                                                                                      • String ID:
                                                                                                      • API String ID: 947044025-0
                                                                                                      • Opcode ID: 9a0833a2f87c161de6793f37a66012ec7e69c4b42f0e6673a42308ae16df3f63
                                                                                                      • Instruction ID: f35c84a96985f46256cd1b203cfe400eb12001508f9da2d515ec9972043155b7
                                                                                                      • Opcode Fuzzy Hash: 9a0833a2f87c161de6793f37a66012ec7e69c4b42f0e6673a42308ae16df3f63
                                                                                                      • Instruction Fuzzy Hash: 08118BB5D003498FDB24DFAAD4447EEFBF4EB48214F24842ED419A7240CB39A944CFA4
                                                                                                      Function 07CA7AF0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1278021954.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ca0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ResumeThread
                                                                                                      • String ID:
                                                                                                      • API String ID: 947044025-0
                                                                                                      • Opcode ID: 434b5374d424d7570a30d29e8dfad4bf7bc0999dcb45623c65925a7175406631
                                                                                                      • Instruction ID: 1079bcdc0a950154e7e90f2f9af28ad2e9698be5eaef4c99e2c71869f7f8bd19
                                                                                                      • Opcode Fuzzy Hash: 434b5374d424d7570a30d29e8dfad4bf7bc0999dcb45623c65925a7175406631
                                                                                                      • Instruction Fuzzy Hash: 561155B1D003498FDB24DFAAD4847DEBBF4EB88214F24881AC519A7240CB39A944CFA4
                                                                                                      Function 07CA4A10 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 07CAC265
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1278021954.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ca0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessagePost
                                                                                                      • String ID:
                                                                                                      • API String ID: 410705778-0
                                                                                                      • Opcode ID: 6b259e65cbaa69fc6eed0ac6a2d415d37ab87097f0fb05c1f5bd7c5b9de249dc
                                                                                                      • Instruction ID: caaecf8d695cef30b15e7a5290d95ca7fba72cc2c58ce03cf4e28306fd5abfeb
                                                                                                      • Opcode Fuzzy Hash: 6b259e65cbaa69fc6eed0ac6a2d415d37ab87097f0fb05c1f5bd7c5b9de249dc
                                                                                                      • Instruction Fuzzy Hash: 721103B5800349EFDB20DF9AD484BDEBBF8EB48714F10891AE518A7610C379A944CFA5
                                                                                                      Function 018BAEF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 018BAF5E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1273520044.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_18b0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleModule
                                                                                                      • String ID:
                                                                                                      • API String ID: 4139908857-0
                                                                                                      • Opcode ID: b900c9f494c80065a633b8d0b1e7f5ccb55f3fe7f056316c2992f67332538141
                                                                                                      • Instruction ID: 1e3461c7ac0c428479e67cd870ee8a4039ebb6a8b0585fe2c2d8c79271fc6304
                                                                                                      • Opcode Fuzzy Hash: b900c9f494c80065a633b8d0b1e7f5ccb55f3fe7f056316c2992f67332538141
                                                                                                      • Instruction Fuzzy Hash: F7110FB6C006498FDB24CF9AD484BDEFBF4EB88314F14851AD528A7350C379A645CFA5
                                                                                                      Function 0185D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1273170900.000000000185D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0185D000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_185d000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 4c6a75c53d318980518ca7653f3a154d3fa921a894a29b3b4a39f8ee66872ccd
                                                                                                      • Instruction ID: be677f336fa2266914ff2711c93df00aadaa239e71a005773c2084aa395d68d1
                                                                                                      • Opcode Fuzzy Hash: 4c6a75c53d318980518ca7653f3a154d3fa921a894a29b3b4a39f8ee66872ccd
                                                                                                      • Instruction Fuzzy Hash: D1210371500244DFDB55DF58D9C0B26BF65FB8831CF20C669EC058B256C336D556CBA2
                                                                                                      Function 0186D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1273252368.000000000186D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0186D000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_186d000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 417703bd9f39880cf9466353e0fa9e14340fc95e4e4b85314e29d159ea95b8f7
                                                                                                      • Instruction ID: b7335747e32d6f27432c4ba9739f3550c501336fd4f4550415b1ff4b66d0c14e
                                                                                                      • Opcode Fuzzy Hash: 417703bd9f39880cf9466353e0fa9e14340fc95e4e4b85314e29d159ea95b8f7
                                                                                                      • Instruction Fuzzy Hash: 32212571A04244DFDB15DF54D5C0B26BBA9FB88324F24C66DD8898F352C336E546CB61
                                                                                                      Function 0186D01C Relevance: .1, Instructions: 72COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1273252368.000000000186D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0186D000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_186d000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 4261daa611eaa0151bda757b5ed05084e52f5ec77a1c6ef5ed0f6e97e2567062
                                                                                                      • Instruction ID: 5db2ca28cae4a0abc7a3e43bed3f8bb1e02b99fa725d3534544b72457f8f6abb
                                                                                                      • Opcode Fuzzy Hash: 4261daa611eaa0151bda757b5ed05084e52f5ec77a1c6ef5ed0f6e97e2567062
                                                                                                      • Instruction Fuzzy Hash: 58212575604344DFDB15DF54D5C0B16BBA9EB88314F20C66DD88A8B242C33BD547CB62
                                                                                                      Function 0185D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1273170900.000000000185D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0185D000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_185d000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 697a99710317c54f7bb984e23a66932092e377a29f2f678e4ea71861c0222b0b
                                                                                                      • Instruction ID: a24dc4e7393df5c57d71f27d00d3eaf66bbc189ba1715d1232f073fef5d8fc97
                                                                                                      • Opcode Fuzzy Hash: 697a99710317c54f7bb984e23a66932092e377a29f2f678e4ea71861c0222b0b
                                                                                                      • Instruction Fuzzy Hash: D311AF76504280CFCB16CF54D5C4B16BF72FB88318F24C6A9EC494B656C336D55ACBA1
                                                                                                      Function 0186D017 Relevance: .1, Instructions: 53COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1273252368.000000000186D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0186D000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_186d000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9a6052acfa68c4fe46fadad0eff0bea71195c393da8741e650ac4709680a852a
                                                                                                      • Instruction ID: 1eaf593185edb86c3ee2151aefdb810503de8e2acaaebe0183968421d8b09670
                                                                                                      • Opcode Fuzzy Hash: 9a6052acfa68c4fe46fadad0eff0bea71195c393da8741e650ac4709680a852a
                                                                                                      • Instruction Fuzzy Hash: 0D11BB75604280CFCB12CF14D5C4B15BBB2FB88314F24C6AAD8498B656C33AD54ACBA2
                                                                                                      Function 0186D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1273252368.000000000186D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0186D000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_186d000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9a6052acfa68c4fe46fadad0eff0bea71195c393da8741e650ac4709680a852a
                                                                                                      • Instruction ID: 43b6a089a9fa6b264d58a73bd355cb74bbd26870cefc7c3e56a97b249aa181e6
                                                                                                      • Opcode Fuzzy Hash: 9a6052acfa68c4fe46fadad0eff0bea71195c393da8741e650ac4709680a852a
                                                                                                      • Instruction Fuzzy Hash: 7011BB75604280DFCB12CF54D5C0B15BBB2FB84324F28C6A9D8898B796C33AE44ACB61
                                                                                                      Function 0185D759 Relevance: .0, Instructions: 45COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1273170900.000000000185D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0185D000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_185d000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 962f5973cae4e151194a9b671b2ae121ab2fa3f2598a7c95f7380c34864b6edb
                                                                                                      • Instruction ID: d090bb645c507f82b2ab21442db641677ad638cdda3cb977302866f52ebe3889
                                                                                                      • Opcode Fuzzy Hash: 962f5973cae4e151194a9b671b2ae121ab2fa3f2598a7c95f7380c34864b6edb
                                                                                                      • Instruction Fuzzy Hash: A601F231004384AAE7605B69DD84B26BB98DF41324F18C61AED088F286C2799940CAB2
                                                                                                      Function 0185D758 Relevance: .0, Instructions: 36COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1273170900.000000000185D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0185D000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_185d000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: cae43243b847bc6fa08ee72e97052f0b9eaa1000139a4d4d79e531d68032febb
                                                                                                      • Instruction ID: 4794fa68b1b1a0786ab0b36228c7ab224f7c862ac58365f147a4b1fe72b63558
                                                                                                      • Opcode Fuzzy Hash: cae43243b847bc6fa08ee72e97052f0b9eaa1000139a4d4d79e531d68032febb
                                                                                                      • Instruction Fuzzy Hash: 4CF0C8710043809EE7208A15DC84B62FFA8EF40724F18C55AED084B297C2795840CAB1

                                                                                                      Non-executed Functions

                                                                                                      Function 07CA57B8 Relevance: .3, Instructions: 312COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1278021954.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ca0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: a97dd7758d463d9bf4b5465d8b5267c6c2ced5be6ac8cc0439b73fe47136f131
                                                                                                      • Instruction ID: 8c90bfb68126d30cc0d6a925bd9d3cb766f6cf0c2aeeae510a1713a7f33d95f9
                                                                                                      • Opcode Fuzzy Hash: a97dd7758d463d9bf4b5465d8b5267c6c2ced5be6ac8cc0439b73fe47136f131
                                                                                                      • Instruction Fuzzy Hash: FAE1FAB4E0021A9FDB14CFA9D584AAEBBB2FF89305F24C169D415AB356D730AD41CF60
                                                                                                      Function 07CA5BF0 Relevance: .3, Instructions: 312COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1278021954.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ca0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: ec9758d481adbee82e928d207883b95a60d0f41c719dbc90fff460d0ee380fa4
                                                                                                      • Instruction ID: 0b92ad30b39858a4865493fad0da1396f21528e39fd6695643cd677b0eeba61c
                                                                                                      • Opcode Fuzzy Hash: ec9758d481adbee82e928d207883b95a60d0f41c719dbc90fff460d0ee380fa4
                                                                                                      • Instruction Fuzzy Hash: 60E118B4E0021A9FDB14CFA9D5849AEBBB2FF89305F24C169D415AB316D730AD41CFA0
                                                                                                      Function 07CA5380 Relevance: .3, Instructions: 312COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1278021954.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ca0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 4fc16ac61020dfff6174fee94946de7829152fe940c93af445d720885bab8c48
                                                                                                      • Instruction ID: d885e10ceb193bd03e30555aa6d101de4e0df25e7e68541da96b88e5b41afc9c
                                                                                                      • Opcode Fuzzy Hash: 4fc16ac61020dfff6174fee94946de7829152fe940c93af445d720885bab8c48
                                                                                                      • Instruction Fuzzy Hash: 5EE1F9B4E0021A9FDB14CFA9D584AAEBBB2FF89305F24C169D415AB356D730AD41CF60
                                                                                                      Function 07CA72C8 Relevance: .3, Instructions: 312COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1278021954.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ca0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 025f45e57c9090ca63d6bfd8e71d5186d25791d7f5a7273e6331eabd0f2ec74b
                                                                                                      • Instruction ID: fecd14bb27cfd89ab93e40497258aca33f6ec6f59a13de770f884d282343cb85
                                                                                                      • Opcode Fuzzy Hash: 025f45e57c9090ca63d6bfd8e71d5186d25791d7f5a7273e6331eabd0f2ec74b
                                                                                                      • Instruction Fuzzy Hash: A3E1FDB4E0021A9FDB14CFA9C584AAEFBB2FF89305F248169D415AB356D731AD41CF60
                                                                                                      Function 07CA6028 Relevance: .3, Instructions: 312COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1278021954.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ca0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: f53fba051365e889ee9002ee236d10cdfcd3d6d67d3d62585f937b3bfcaddaba
                                                                                                      • Instruction ID: 6e5475f4ab0e3ceeca46d5b29edc0e23afc7a3d91ccf93cc3d454a8b9de14706
                                                                                                      • Opcode Fuzzy Hash: f53fba051365e889ee9002ee236d10cdfcd3d6d67d3d62585f937b3bfcaddaba
                                                                                                      • Instruction Fuzzy Hash: 1AE1EAB4E0021A9FDB14CFA9C5849AEFBB2FF89305F248169D415AB356D730AD41CFA1
                                                                                                      Function 018BD51C Relevance: .3, Instructions: 264COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1273520044.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_18b0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: da7f91fe343afa35601f69c03121315061dbeefd3e3bf5fffec8bfe031006fb0
                                                                                                      • Instruction ID: d4e9aa72a25959089f29b9d7074d49fc79400b40dde339d59395a9fe87a304d3
                                                                                                      • Opcode Fuzzy Hash: da7f91fe343afa35601f69c03121315061dbeefd3e3bf5fffec8bfe031006fb0
                                                                                                      • Instruction Fuzzy Hash: DCA15032A1060A8FCF15DFB8C8805DEBBB2FF85300B158569EA05EB365DB71DA56CB40
                                                                                                      Function 07CA5BE9 Relevance: .1, Instructions: 129COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1278021954.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ca0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: a23b339e34f6ff9b70fb581445b18b41bb3ddc7e6c6128a548de44598efe530d
                                                                                                      • Instruction ID: ce3b3f403ebb8e3f20e1720f7f51a33ce368966d58efc5b22d4aad4407449298
                                                                                                      • Opcode Fuzzy Hash: a23b339e34f6ff9b70fb581445b18b41bb3ddc7e6c6128a548de44598efe530d
                                                                                                      • Instruction Fuzzy Hash: 8851F8B4E0021A8FDB14CFA9D5845AEBBB2FF89305F24C16AD419A7216D7359D42CFA0
                                                                                                      Function 07CA6027 Relevance: .1, Instructions: 128COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1278021954.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ca0000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 3a0b0cdd66b25c8c5119f855ebd2e94c2acffc58c2327b28c98f8f97b0ad9dab
                                                                                                      • Instruction ID: 612eba58b068e97c5e3c22c4e52c6a9404bb21ae80ad47d643da4a9799406702
                                                                                                      • Opcode Fuzzy Hash: 3a0b0cdd66b25c8c5119f855ebd2e94c2acffc58c2327b28c98f8f97b0ad9dab
                                                                                                      • Instruction Fuzzy Hash: 0851F8B4E0021A8BDB14CFA9C5855AEFBF2EF89305F24816AD518B7216D7319942CFA1

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:10.2%
                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                      Signature Coverage:0%
                                                                                                      Total number of Nodes:22
                                                                                                      Total number of Limit Nodes:2
                                                                                                      execution_graph 31226 1a66530 31227 1a6654e 31226->31227 31230 1a6610c 31227->31230 31229 1a66585 31232 1a68050 LoadLibraryA 31230->31232 31233 1a68149 31232->31233 31234 697c960 31235 697c9a6 31234->31235 31236 697ca93 31235->31236 31239 697cb30 31235->31239 31244 697cb40 31235->31244 31240 697cb3a 31239->31240 31242 697cb0a 31239->31242 31247 697c52c 31240->31247 31242->31236 31245 697c52c DuplicateHandle 31244->31245 31246 697cb6e 31244->31246 31245->31246 31246->31236 31248 697cba8 DuplicateHandle 31247->31248 31249 697cb6e 31248->31249 31249->31236 31250 6976748 31251 697675d 31250->31251 31252 6976972 31251->31252 31253 6976d78 GlobalMemoryStatusEx 31251->31253 31253->31251

                                                                                                      Executed Functions

                                                                                                      Function 06978758 Relevance: 1.7, APIs: 1, Instructions: 153COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 175 6978758-6978773 176 6978775-697879c call 6976d64 175->176 177 697879d-69787bc call 6976d70 175->177 183 69787c2-6978821 177->183 184 69787be-69787c1 177->184 191 6978827-69788b4 GlobalMemoryStatusEx 183->191 192 6978823-6978826 183->192 196 69788b6-69788bc 191->196 197 69788bd-69788e5 191->197 196->197
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000008.00000002.2483190240.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_8_2_6970000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9e1be6902817efb5796e31d3340bfafffffd2aa6d590fd002b807a6dfe8bca08
                                                                                                      • Instruction ID: 6614e3a8cd52ca4b500a907eb8ff086171d7d6db5b5c047959c4c4896bb76c86
                                                                                                      • Opcode Fuzzy Hash: 9e1be6902817efb5796e31d3340bfafffffd2aa6d590fd002b807a6dfe8bca08
                                                                                                      • Instruction Fuzzy Hash: C6411331E143559FCB15CB66DC046EEBFF4EF85220F14856AE404EB681DB349841CBE1
                                                                                                      Function 01A6610C Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 200 1a6610c-1a680a7 202 1a680fb-1a68147 LoadLibraryA 200->202 203 1a680a9-1a680ce 200->203 207 1a68150-1a68181 202->207 208 1a68149-1a6814f 202->208 203->202 206 1a680d0-1a680d2 203->206 210 1a680d4-1a680de 206->210 211 1a680f5-1a680f8 206->211 212 1a68183-1a68187 207->212 213 1a68191 207->213 208->207 214 1a680e2-1a680f1 210->214 215 1a680e0 210->215 211->202 212->213 217 1a68189-1a6818c call 1a60a00 212->217 220 1a68192 213->220 214->214 218 1a680f3 214->218 215->214 217->213 218->211 220->220
                                                                                                      APIs
                                                                                                      • LoadLibraryA.KERNELBASE(?), ref: 01A68137
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000008.00000002.2477798700.0000000001A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A60000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_8_2_1a60000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LibraryLoad
                                                                                                      • String ID:
                                                                                                      • API String ID: 1029625771-0
                                                                                                      • Opcode ID: 71071ecb3e302b79812da997ec25fc6315239afa98203dcd108df7b136419284
                                                                                                      • Instruction ID: da2e9784eaa91b7bf776a8a23390d4d3acb66bd809607b1f35b62fa1b829427b
                                                                                                      • Opcode Fuzzy Hash: 71071ecb3e302b79812da997ec25fc6315239afa98203dcd108df7b136419284
                                                                                                      • Instruction Fuzzy Hash: 964154B0D003498FDB20CFA9C88479EBBF9EB08714F148629E814AB384D7B89841CF95
                                                                                                      Function 01A68046 Relevance: 1.6, APIs: 1, Instructions: 96libraryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 221 1a68046-1a680a7 223 1a680fb-1a68147 LoadLibraryA 221->223 224 1a680a9-1a680ce 221->224 228 1a68150-1a68181 223->228 229 1a68149-1a6814f 223->229 224->223 227 1a680d0-1a680d2 224->227 231 1a680d4-1a680de 227->231 232 1a680f5-1a680f8 227->232 233 1a68183-1a68187 228->233 234 1a68191 228->234 229->228 235 1a680e2-1a680f1 231->235 236 1a680e0 231->236 232->223 233->234 238 1a68189-1a6818c call 1a60a00 233->238 241 1a68192 234->241 235->235 239 1a680f3 235->239 236->235 238->234 239->232 241->241
                                                                                                      APIs
                                                                                                      • LoadLibraryA.KERNELBASE(?), ref: 01A68137
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000008.00000002.2477798700.0000000001A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A60000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_8_2_1a60000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LibraryLoad
                                                                                                      • String ID:
                                                                                                      • API String ID: 1029625771-0
                                                                                                      • Opcode ID: f284a3c3135fedfc187798629dd014d65a83c40ebf8c2d46fb38abc6127783bf
                                                                                                      • Instruction ID: 6aece7ef5ea2bdf86a1d959e652ce7644ab169505ea12aeb0b74ea55fb9bfca9
                                                                                                      • Opcode Fuzzy Hash: f284a3c3135fedfc187798629dd014d65a83c40ebf8c2d46fb38abc6127783bf
                                                                                                      • Instruction Fuzzy Hash: B84156B0D003498FDB24CFA9C88179EBBF9FB48710F148629E814AB384D7789841CF91
                                                                                                      Function 0697CBA0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 863 697cba0-697cba7 864 697cba8-697cc3c DuplicateHandle 863->864 865 697cc45-697cc62 864->865 866 697cc3e-697cc44 864->866 866->865
                                                                                                      APIs
                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0697CB6E,?,?,?,?,?), ref: 0697CC2F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000008.00000002.2483190240.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_8_2_6970000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DuplicateHandle
                                                                                                      • String ID:
                                                                                                      • API String ID: 3793708945-0
                                                                                                      • Opcode ID: e4258cc89fd4f18f733e49ab7ab4359ad8df44599581d3bffe5b76f85bae4f98
                                                                                                      • Instruction ID: f5a542d73700b34aa4007b64bafc5ed8d5e77e237b1bb8d44f264774d192bdc6
                                                                                                      • Opcode Fuzzy Hash: e4258cc89fd4f18f733e49ab7ab4359ad8df44599581d3bffe5b76f85bae4f98
                                                                                                      • Instruction Fuzzy Hash: 6B21F3B5900249AFDB10CFAAD984ADEBBF9EB48310F14845AE914A7310D378A950CFA5
                                                                                                      Function 0697C52C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 869 697c52c-697cc3c DuplicateHandle 871 697cc45-697cc62 869->871 872 697cc3e-697cc44 869->872 872->871
                                                                                                      APIs
                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0697CB6E,?,?,?,?,?), ref: 0697CC2F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000008.00000002.2483190240.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_8_2_6970000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DuplicateHandle
                                                                                                      • String ID:
                                                                                                      • API String ID: 3793708945-0
                                                                                                      • Opcode ID: cd56653cac6060b59ff2598e7abad7ffbb39ca19c5f42778e9c67c3857924546
                                                                                                      • Instruction ID: 7594050d8ec708e7a36432feb755bb007b13a962c7314fa3cd39dc7aa756e127
                                                                                                      • Opcode Fuzzy Hash: cd56653cac6060b59ff2598e7abad7ffbb39ca19c5f42778e9c67c3857924546
                                                                                                      • Instruction Fuzzy Hash: BE21D4B5D00349AFDB10CF9AD584ADEBBF4EB48310F14845AE914A7350D379A950CFA5
                                                                                                      Function 06978840 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 875 6978840-697887e 876 6978886-69788b4 GlobalMemoryStatusEx 875->876 877 69788b6-69788bc 876->877 878 69788bd-69788e5 876->878 877->878
                                                                                                      APIs
                                                                                                      • GlobalMemoryStatusEx.KERNELBASE ref: 069788A7
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000008.00000002.2483190240.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_8_2_6970000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: GlobalMemoryStatus
                                                                                                      • String ID:
                                                                                                      • API String ID: 1890195054-0
                                                                                                      • Opcode ID: 2c29b1d89cd2b1f74bd616eaa2c7d7dd019553e43727c12e4943f5d1d7965b9f
                                                                                                      • Instruction ID: 58c701e4c15d1185bc856a0849d54ecce7ff49c6c630a12a3bd0a9c11f81cf01
                                                                                                      • Opcode Fuzzy Hash: 2c29b1d89cd2b1f74bd616eaa2c7d7dd019553e43727c12e4943f5d1d7965b9f
                                                                                                      • Instruction Fuzzy Hash: B61123B5C0065A9FDB14CF9AD944BDEFBF4EF48220F14816AD828A7340D378A944CFA5
                                                                                                      Function 0169D01C Relevance: .1, Instructions: 72COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000008.00000002.2476486494.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_8_2_169d000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 94ab5d9c13e471fbb7239a2724e842413aa92bbd9e1b27ed6d7b86cccc36a9f9
                                                                                                      • Instruction ID: 80803c775ae24c63a4a6e1787c2dca2365eb45cbec05ff9eb4f5ecde5dc77a9f
                                                                                                      • Opcode Fuzzy Hash: 94ab5d9c13e471fbb7239a2724e842413aa92bbd9e1b27ed6d7b86cccc36a9f9
                                                                                                      • Instruction Fuzzy Hash: CF21D075604340DFDF15DF68D984B26BBA9EB88354F20C579D80A4B396C33AD847CA62
                                                                                                      Function 0169D006 Relevance: .1, Instructions: 61COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000008.00000002.2476486494.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_8_2_169d000_PO] G_24370-24396_SI2_S25_8658.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c691b094ab1c4ebfb058df3a09d4f3872abea083e87d53f90e8874d14d8e0824
                                                                                                      • Instruction ID: 6cb27c3626b62849c348851b58831bbdec48d6710864d525da94eff39f66c4d1
                                                                                                      • Opcode Fuzzy Hash: c691b094ab1c4ebfb058df3a09d4f3872abea083e87d53f90e8874d14d8e0824
                                                                                                      • Instruction Fuzzy Hash: F4219F755083809FDB02CF64D994B15BFB5FB46314F24C5EAD8498F2A7C33A9846CB62