Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Y7iJlbvuxg.exe

Overview

General Information

Sample name:Y7iJlbvuxg.exe
renamed because original name is a hash value
Original sample name:20ed21bfdb7aa970b12e7368eba8e26a711752f1cc5416b6fd6629d0e2a44e5d.exe
Analysis ID:1589531
MD5:c8dd54784fb1b6cbd16cec060487fb8f
SHA1:aa8e0f879f1b6a0d83d2657e86cca4b66d8235cf
SHA256:20ed21bfdb7aa970b12e7368eba8e26a711752f1cc5416b6fd6629d0e2a44e5d
Tags:exefunklockerfunksecransomwareuser-TheRavenFile
Infos:

Detection

FunkLocker
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FunkLocker Ransomware
AI detected suspicious sample
Bypasses PowerShell execution policy
Creates files in the recycle bin to hide itself
Deletes shadow drive data (may be related to ransomware)
Disables Windows Defender (via service or powershell)
Drops PE files to the user root directory
Loading BitLocker PowerShell Module
Modifies Windows Defender protection settings
Sigma detected: Disable of ETW Trace
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Eventlog Clear or Configuration Change
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Y7iJlbvuxg.exe (PID: 2800 cmdline: "C:\Users\user\Desktop\Y7iJlbvuxg.exe" MD5: C8DD54784FB1B6CBD16CEC060487FB8F)
    • conhost.exe (PID: 2884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • net.exe (PID: 5624 cmdline: "net" session MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
      • net1.exe (PID: 1412 cmdline: C:\Windows\system32\net1 session MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)
    • powershell.exe (PID: 6156 cmdline: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • WmiPrvSE.exe (PID: 7384 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 1476 cmdline: "powershell" -Command "wevtutil sl Security /e:false" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • wevtutil.exe (PID: 7328 cmdline: "C:\Windows\system32\wevtutil.exe" sl Security /e:false MD5: 1AAE26BD68B911D0420626A27070EB8D)
    • powershell.exe (PID: 5996 cmdline: "powershell" -Command "wevtutil sl Application /e:false" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • wevtutil.exe (PID: 7320 cmdline: "C:\Windows\system32\wevtutil.exe" sl Application /e:false MD5: 1AAE26BD68B911D0420626A27070EB8D)
    • powershell.exe (PID: 4196 cmdline: "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: Y7iJlbvuxg.exe PID: 2800JoeSecurity_funklockerYara detected FunkLocker RansomwareJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Disable of ETW Trace
    Source: Process startedAuthor: @neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community: Data: Command: "powershell" -Command "wevtutil sl Security /e:false", CommandLine: "powershell" -Command "wevtutil sl Security /e:false", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Y7iJlbvuxg.exe", ParentImage: C:\Users\user\Desktop\Y7iJlbvuxg.exe, ParentProcessId: 2800, ParentProcessName: Y7iJlbvuxg.exe, ProcessCommandLine: "powershell" -Command "wevtutil sl Security /e:false", ProcessId: 1476, ProcessName: powershell.exe
    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Y7iJlbvuxg.exe", ParentImage: C:\Users\user\Desktop\Y7iJlbvuxg.exe, ParentProcessId: 2800, ParentProcessName: Y7iJlbvuxg.exe, ProcessCommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", ProcessId: 6156, ProcessName: powershell.exe
    Sigma detected: Powershell Defender Disable Scan Feature
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Y7iJlbvuxg.exe", ParentImage: C:\Users\user\Desktop\Y7iJlbvuxg.exe, ParentProcessId: 2800, ParentProcessName: Y7iJlbvuxg.exe, ProcessCommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", ProcessId: 6156, ProcessName: powershell.exe
    Sigma detected: Suspicious Eventlog Clear or Configuration Change
    Source: Process startedAuthor: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105: Data: Command: "C:\Windows\system32\wevtutil.exe" sl Application /e:false, CommandLine: "C:\Windows\system32\wevtutil.exe" sl Application /e:false, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wevtutil.exe, NewProcessName: C:\Windows\System32\wevtutil.exe, OriginalFileName: C:\Windows\System32\wevtutil.exe, ParentCommandLine: "powershell" -Command "wevtutil sl Application /e:false", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5996, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\wevtutil.exe" sl Application /e:false, ProcessId: 7320, ProcessName: wevtutil.exe
    Sigma detected: Change PowerShell Policies to an Insecure Level
    Source: Process startedAuthor: frack113: Data: Command: "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force", CommandLine: "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Y7iJlbvuxg.exe", ParentImage: C:\Users\user\Desktop\Y7iJlbvuxg.exe, ParentProcessId: 2800, ParentProcessName: Y7iJlbvuxg.exe, ProcessCommandLine: "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force", ProcessId: 4196, ProcessName: powershell.exe
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Y7iJlbvuxg.exe", ParentImage: C:\Users\user\Desktop\Y7iJlbvuxg.exe, ParentProcessId: 2800, ParentProcessName: Y7iJlbvuxg.exe, ProcessCommandLine: "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true", ProcessId: 6156, ProcessName: powershell.exe

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for dropped file
    Source: C:\Users\user\vY0nJg2diW.exeReversingLabs: Detection: 63%
    Multi AV Scanner detection for submitted file
    Source: Y7iJlbvuxg.exeVirustotal: Detection: 60%Perma Link
    Source: Y7iJlbvuxg.exeReversingLabs: Detection: 63%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.3% probability
    Source: unknownHTTPS traffic detected: 199.232.196.193:443 -> 192.168.2.5:49704 version: TLS 1.2
    Source: Y7iJlbvuxg.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: dev.pdbw source: Y7iJlbvuxg.exe, vY0nJg2diW.exe.0.dr
    Source: Binary string: dev.pdb source: Y7iJlbvuxg.exe, vY0nJg2diW.exe.0.dr
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.logJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Jump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Jump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\Jump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Jump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\336a045b-df12-4067-9f71-93ee2edb038d\Jump to behavior
    Source: global trafficHTTP traffic detected: GET /HCYQoVR.jpeg HTTP/1.1accept: */*host: i.imgur.com
    Source: Joe Sandbox ViewIP Address: 199.232.196.193 199.232.196.193
    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /HCYQoVR.jpeg HTTP/1.1accept: */*host: i.imgur.com
    Source: global trafficDNS traffic detected: DNS query: i.imgur.com
    Source: vY0nJg2diW.exe.0.drString found in binary or memory: http://ns.adobe.
    Source: powershell.exe, 00000008.00000002.2158117506.00000282693C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2121530319.000002825ACBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000008.00000002.2121530319.0000028259578000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000008.00000002.2121530319.0000028259C7F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2121530319.0000028259578000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
    Source: powershell.exe, 00000008.00000002.2121530319.0000028259351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000008.00000002.2121530319.0000028259C7F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2121530319.0000028259578000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
    Source: powershell.exe, 00000008.00000002.2121530319.0000028259578000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: Y7iJlbvuxg.exe, 00000000.00000003.2085564612.000001A548EE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
    Source: powershell.exe, 00000008.00000002.2121530319.0000028259351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
    Source: powershell.exe, 00000008.00000002.2121530319.000002825A47F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
    Source: powershell.exe, 00000008.00000002.2121530319.000002825A977000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
    Source: powershell.exe, 00000008.00000002.2121530319.000002825ACBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000008.00000002.2121530319.000002825ACBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000008.00000002.2121530319.000002825ACBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: Y7iJlbvuxg.exe, vY0nJg2diW.exe.0.drString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
    Source: Y7iJlbvuxg.exe, README-Nrkrlq9Lfn.md.0.dr, vY0nJg2diW.exe.0.drString found in binary or memory: https://getsession.org/
    Source: powershell.exe, 00000008.00000002.2121530319.0000028259578000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000008.00000002.2121530319.000002825A977000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
    Source: vY0nJg2diW.exe.0.drString found in binary or memory: https://i.imgur.com/HCYQoVR.jpeg
    Source: powershell.exe, 00000008.00000002.2158117506.00000282693C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2121530319.000002825ACBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: Y7iJlbvuxg.exe, README-Nrkrlq9Lfn.md.0.dr, vY0nJg2diW.exe.0.drString found in binary or memory: https://www.blockchain.com/)
    Source: Y7iJlbvuxg.exe, README-Nrkrlq9Lfn.md.0.dr, vY0nJg2diW.exe.0.drString found in binary or memory: https://www.coinbase.com/)
    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
    Source: unknownHTTPS traffic detected: 199.232.196.193:443 -> 192.168.2.5:49704 version: TLS 1.2

    Spam, unwanted Advertisements and Ransom Demands

    barindex
    Yara detected FunkLocker Ransomware
    Source: Yara matchFile source: Process Memory Space: Y7iJlbvuxg.exe PID: 2800, type: MEMORYSTR
    Deletes shadow drive data (may be related to ransomware)
    Source: Y7iJlbvuxg.exe, 00000000.00000002.2145459589.00007FF65E10F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: chrome.exefirefox.exesystem32.exeWinDefendscstoptaskkill/F/IMvssadmindelete shadows/all/quietShadow copies deleted successfully.
    Source: Y7iJlbvuxg.exe, 00000000.00000000.2048064128.00007FF65E10F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: chrome.exefirefox.exesystem32.exeWinDefendscstoptaskkill/F/IMvssadmindelete shadows/all/quietShadow copies deleted successfully.
    Source: Y7iJlbvuxg.exeBinary or memory string: chrome.exefirefox.exesystem32.exeWinDefendscstoptaskkill/F/IMvssadmindelete shadows/all/quietShadow copies deleted successfully.
    Source: vY0nJg2diW.exe.0.drBinary or memory string: chrome.exefirefox.exesystem32.exeWinDefendscstoptaskkill/F/IMvssadmindelete shadows/all/quietShadow copies deleted successfully.
    Source: C:\Windows\System32\wevtutil.exeProcess token adjusted: SecurityJump to behavior
    Source: vY0nJg2diW.exe.0.drBinary string: Failed to open \Device\Afd\Mio: @
    Source: vY0nJg2diW.exe.0.drBinary string: 0\Device\Afd\Mio
    Source: classification engineClassification label: mal100.rans.evad.winEXE@19/34@1/1
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeFile created: C:\Users\user\Desktop\README-Nrkrlq9Lfn.mdJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2884:120:WilError_03
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rvhanhad.dh2.ps1Jump to behavior
    Source: Y7iJlbvuxg.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeFile read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: Y7iJlbvuxg.exe, 00000000.00000003.2142003727.000001A54AD3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE [Activity_PackageId]([ActivityId] GUID NOT NULL, [Platform] TEXT NOT NULL COLLATE NOCASE, [PackageName] TEXT NOT NULL COLLATE NOCASE, [ExpirationTime] DATETIME NOT NULL);
    Source: Y7iJlbvuxg.exeVirustotal: Detection: 60%
    Source: Y7iJlbvuxg.exeReversingLabs: Detection: 63%
    Source: Y7iJlbvuxg.exeString found in binary or memory: /load_hpack; header malformed -- pseudo not at head of blockhi<@
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeFile read: C:\Users\user\Desktop\Y7iJlbvuxg.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\Y7iJlbvuxg.exe "C:\Users\user\Desktop\Y7iJlbvuxg.exe"
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeProcess created: C:\Windows\System32\net.exe "net" session
    Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Security /e:false"
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Application /e:false"
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Application /e:false
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Security /e:false
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeProcess created: C:\Windows\System32\net.exe "net" sessionJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"Jump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Security /e:false"Jump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Application /e:false"Jump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"Jump to behavior
    Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 sessionJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Security /e:falseJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Application /e:falseJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeSection loaded: cryptnet.dllJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\net1.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\net1.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\net1.exeSection loaded: dsrole.dllJump to behavior
    Source: C:\Windows\System32\net1.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\net1.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\net1.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\System32\net1.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\wevtutil.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\wevtutil.exeSection loaded: wevtapi.dllJump to behavior
    Source: C:\Windows\System32\wevtutil.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\wevtutil.exeSection loaded: wevtapi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
    Source: Y7iJlbvuxg.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: Y7iJlbvuxg.exeStatic PE information: Image base 0x140000000 > 0x60000000
    Source: Y7iJlbvuxg.exeStatic file information: File size 5493760 > 1048576
    Source: Y7iJlbvuxg.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x37e000
    Source: Y7iJlbvuxg.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x18ca00
    Source: Y7iJlbvuxg.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Y7iJlbvuxg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: dev.pdbw source: Y7iJlbvuxg.exe, vY0nJg2diW.exe.0.dr
    Source: Binary string: dev.pdb source: Y7iJlbvuxg.exe, vY0nJg2diW.exe.0.dr
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848E70725 push eax; ret 8_2_00007FF848E7086D
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848E7086F push eax; ret 8_2_00007FF848E7086D
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848E70830 push eax; ret 8_2_00007FF848E7086D
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeFile created: C:\Users\user\vY0nJg2diW.exeJump to dropped file
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeFile created: C:\Users\user\vY0nJg2diW.exeJump to dropped file

    Boot Survival

    barindex
    Drops PE files to the user root directory
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeFile created: C:\Users\user\vY0nJg2diW.exeJump to dropped file

    Hooking and other Techniques for Hiding and Protection

    barindex
    Creates files in the recycle bin to hide itself
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeFile created: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.funksecJump to behavior
    Loading BitLocker PowerShell Module
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7995Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1037Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1392Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1398Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5632Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5560Thread sleep count: 7995 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7356Thread sleep time: -4611686018427385s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6768Thread sleep count: 1037 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7284Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5248Thread sleep count: 1392 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7272Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6512Thread sleep count: 1398 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7280Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6204Thread sleep count: 5632 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7352Thread sleep time: -1844674407370954s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2364Thread sleep count: 88 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7288Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.logJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Jump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Jump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\Jump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Jump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\336a045b-df12-4067-9f71-93ee2edb038d\Jump to behavior
    Source: vY0nJg2diW.exe.0.drBinary or memory string: *Set-MpPreference -DisableRealtimeMonitoring $truewevtutil sl Security /e:falsewevtutil sl Application /e:falsevboxserviceqemuhypervvmwaretasklist/fiIMAGENAME eq t
    Source: vY0nJg2diW.exe.0.drBinary or memory string: Set-MpPreference -DisableRealtimeMonitoring $truewevtutil sl Security /e:falsewevtutil sl Application /e:falsevboxserviceqemuhypervvmwaretasklist/fiIMAGENAME eq
    Source: Y7iJlbvuxg.exe, 00000000.00000003.2143651946.000001A548E66000.00000004.00000020.00020000.00000000.sdmp, Y7iJlbvuxg.exe, 00000000.00000002.2144387310.000001A548E66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Bypasses PowerShell execution policy
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"
    Disables Windows Defender (via service or powershell)
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"Jump to behavior
    Modifies Windows Defender protection settings
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"Jump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeProcess created: C:\Windows\System32\net.exe "net" sessionJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"Jump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Security /e:false"Jump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "wevtutil sl Application /e:false"Jump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"Jump to behavior
    Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 sessionJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Security /e:falseJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" sl Application /e:falseJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\$Recycle.Bin VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\$WinREAgent VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\$WinREAgent\Scratch VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\.ms-ad VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\3D Objects VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\3D Objects\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\3D Objects\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\3D Objects\desktop.ini VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.log VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.log VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.log VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\336a045b-df12-4067-9f71-93ee2edb038d VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_1 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_1 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_2 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_2 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_3 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_3 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2798067b152b83c7_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\7120c35b509b0fae_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c84d92a9dbce3e0_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c84d92a9dbce3e0_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\91cec06bb2836fa5_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\983b7a3da8f39a46_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\b6d5deb4812ac6e9_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bba29d2e6197e2f4_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bf8eae3dcaf681ca_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\CURRENT VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\CURRENT VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LOCK VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LOCK VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\MANIFEST-000001 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies-journal VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\NetworkDataMigrated VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Reporting and NEL VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cookie VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Color\Profiles VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.log.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_3 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4ca3cb58378aaa3f_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\560e9c8bff5008d8_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\72d9f526d2e2e7c8_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\983b7a3da8f39a46_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\983b7a3da8f39a46_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\aba6710fde0876af_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\aba6710fde0876af_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\b6d5deb4812ac6e9_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\b6d5deb4812ac6e9_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bba29d2e6197e2f4_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bba29d2e6197e2f4_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bf8eae3dcaf681ca_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\cf3e34002cde7e9c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\cf3e34002cde7e9c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Color\Profiles VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c159cc5880890bc_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c159cc5880890bc_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\b6d5deb4812ac6e9_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bba29d2e6197e2f4_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bba29d2e6197e2f4_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\d5dedf551f4d1592_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\CURRENT VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\CURRENT VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cookie VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\ARM\Acrobat_23.006.20320 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\336a045b-df12-4067-9f71-93ee2edb038d VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_3 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_3 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\d5dedf551f4d1592_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\CURRENT VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LOCK VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cookie VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\ARM VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\ARM\Acrobat_23.006.20320 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5} VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Color VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\336a045b-df12-4067-9f71-93ee2edb038d VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\927a1596c37ebe5e_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\92c56fa2a6c4d5ba_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\92c56fa2a6c4d5ba_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\946896ee27df7947_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\983b7a3da8f39a46_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\983b7a3da8f39a46_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\aba6710fde0876af_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\b6d5deb4812ac6e9_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\b6d5deb4812ac6e9_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bba29d2e6197e2f4_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bf8eae3dcaf681ca_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\cf3e34002cde7e9c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\cf3e34002cde7e9c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\fd17b2d8331c91e8_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\CURRENT VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\CURRENT VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LOCK VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LOCK VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\MANIFEST-000001 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies-journal VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies-journal VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\CURRENT VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\CURRENT VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOCK VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOCK VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\MANIFEST-000001 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cookie VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\ARM VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\ARM\Acrobat_23.006.20320 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.log.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.log.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\336a045b-df12-4067-9f71-93ee2edb038d VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_1 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_2 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_3 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_3 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bf8eae3dcaf681ca_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\cf3e34002cde7e9c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\cf3e34002cde7e9c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f0cf6dfa8a1afa3d_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f0cf6dfa8a1afa3d_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f941376b2efdd6e6_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\NetworkDataMigrated VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Reporting and NEL VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\ARM\Acrobat_23.006.20320 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Color VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Color\Profiles VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_1 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_1 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_2 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_3 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_3 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2a426f11fd8ebe18_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4ca3cb58378aaa3f_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\7120c35b509b0fae_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\71febec55d5c75cd_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c159cc5880890bc_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c84d92a9dbce3e0_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8e417e79df3bf0e9_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\92c56fa2a6c4d5ba_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\946896ee27df7947_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\b6d5deb4812ac6e9_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\cf3e34002cde7e9c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f941376b2efdd6e6_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\fd17b2d8331c91e8_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\CURRENT VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies-journal VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\CURRENT VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\CURRENT VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\ARM VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\ARM\S VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.log.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_1 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_1 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\data_3 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2798067b152b83c7_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2a426f11fd8ebe18_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2a426f11fd8ebe18_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4ca3cb58378aaa3f_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4ca3cb58378aaa3f_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\560e9c8bff5008d8_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\560e9c8bff5008d8_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bba29d2e6197e2f4_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bba29d2e6197e2f4_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bf8eae3dcaf681ca_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\cf3e34002cde7e9c_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\d5dedf551f4d1592_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\d5dedf551f4d1592_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f0cf6dfa8a1afa3d_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f941376b2efdd6e6_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f941376b2efdd6e6_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f971b7eda7fa05c3_0 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\CURRENT VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\000003.log.funksec VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\CURRENT VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\MANIFEST-000001 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LOG VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LOG VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeCode function: 0_2_00007FF65E0FD548 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF65E0FD548
    Source: C:\Users\user\Desktop\Y7iJlbvuxg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
    Command and Scripting Interpreter    		1
    DLL Side-Loading    		11
    Process Injection    		111
    Masquerading    		OS Credential Dumping1
    System Time Discovery    		Remote ServicesData from Local System1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    PowerShell    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		21
    Disable or Modify Tools    		LSASS Memory11
    Security Software Discovery    		Remote Desktop ProtocolData from Removable Media1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)21
    Virtualization/Sandbox Evasion    		Security Account Manager1
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
    Process Injection    		NTDS21
    Virtualization/Sandbox Evasion    		Distributed Component Object ModelInput Capture3
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Hidden Files and Directories    		LSA Secrets1
    Application Window Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    Obfuscated Files or Information    		Cached Domain Credentials2
    File and Directory Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    DLL Side-Loading    		DCSync13
    System Information Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
    File Deletion    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1589531 Sample: Y7iJlbvuxg.exe Startdate: 12/01/2025 Architecture: WINDOWS Score: 100 34 ipv4.imgur.map.fastly.net 2->34 36 i.imgur.com 2->36 40 Multi AV Scanner detection for dropped file 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected FunkLocker Ransomware 2->44 46 6 other signatures 2->46 8 Y7iJlbvuxg.exe 22 2->8         started        signatures3 process4 dnsIp5 38 ipv4.imgur.map.fastly.net 199.232.196.193, 443, 49704 FASTLYUS United States 8->38 30 C:\Users\user\vY0nJg2diW.exe, PE32+ 8->30 dropped 32 C:\$Recycle.Bin\...\desktop.ini.funksec, data 8->32 dropped 48 Creates files in the recycle bin to hide itself 8->48 50 Deletes shadow drive data (may be related to ransomware) 8->50 52 Bypasses PowerShell execution policy 8->52 54 3 other signatures 8->54 13 powershell.exe 23 8->13         started        16 powershell.exe 23 8->16         started        18 powershell.exe 7 8->18         started        20 3 other processes 8->20 file6 signatures7 process8 signatures9 56 Loading BitLocker PowerShell Module 13->56 22 WmiPrvSE.exe 13->22         started        24 wevtutil.exe 1 18->24         started        26 wevtutil.exe 1 20->26         started        28 net1.exe 1 20->28         started        process10

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Y7iJlbvuxg.exe61%VirustotalBrowse
    Y7iJlbvuxg.exe63%ReversingLabsWin64.Ransomware.Funksec

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\vY0nJg2diW.exe63%ReversingLabsWin64.Ransomware.Funksec

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://getsession.org/0%Avira URL Cloudsafe
    http://ns.adobe.0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    ipv4.imgur.map.fastly.net
    		199.232.196.193
    		truefalse
      		high
      i.imgur.com
      		unknown
      		unknownfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.2158117506.00000282693C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2121530319.000002825ACBF000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000008.00000002.2121530319.000002825A47F000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://www.coinbase.com/)Y7iJlbvuxg.exe, README-Nrkrlq9Lfn.md.0.dr, vY0nJg2diW.exe.0.drfalse
              		high
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.2121530319.0000028259578000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000008.00000002.2121530319.0000028259C7F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2121530319.0000028259578000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.2121530319.0000028259578000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://go.micropowershell.exe, 00000008.00000002.2121530319.000002825A977000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000008.00000002.2121530319.0000028259C7F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2121530319.0000028259578000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/powershell.exe, 00000008.00000002.2121530319.000002825ACBF000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.2158117506.00000282693C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2121530319.000002825ACBF000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.microsoft.coY7iJlbvuxg.exe, 00000000.00000003.2085564612.000001A548EE9000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/Licensepowershell.exe, 00000008.00000002.2121530319.000002825ACBF000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/Iconpowershell.exe, 00000008.00000002.2121530319.000002825ACBF000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://docs.rs/getrandom#nodejs-es-module-supportY7iJlbvuxg.exe, vY0nJg2diW.exe.0.drfalse
                                    		high
                                    https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000008.00000002.2121530319.000002825A977000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://i.imgur.com/HCYQoVR.jpegvY0nJg2diW.exe.0.drfalse
                                        		high
                                        https://aka.ms/pscore68powershell.exe, 00000008.00000002.2121530319.0000028259351000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://ns.adobe.vY0nJg2diW.exe.0.drfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000008.00000002.2121530319.0000028259351000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.2121530319.0000028259578000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.blockchain.com/)Y7iJlbvuxg.exe, README-Nrkrlq9Lfn.md.0.dr, vY0nJg2diW.exe.0.drfalse
                                                		high
                                                https://getsession.org/Y7iJlbvuxg.exe, README-Nrkrlq9Lfn.md.0.dr, vY0nJg2diW.exe.0.drfalse
                                                • Avira URL Cloud: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                199.232.196.193
                                                		ipv4.imgur.map.fastly.netUnited States
                                                		54113FASTLYUSfalse

                                                General Information

                                                Joe Sandbox version:42.0.0 Malachite
                                                Analysis ID:1589531
                                                Start date and time:2025-01-12 18:49:10 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 5m 52s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:14
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:Y7iJlbvuxg.exe
                                                renamed because original name is a hash value
                                                Original Sample Name:20ed21bfdb7aa970b12e7368eba8e26a711752f1cc5416b6fd6629d0e2a44e5d.exe
                                                Detection:MAL
                                                Classification:mal100.rans.evad.winEXE@19/34@1/1
                                                EGA Information:Failed
                                                HCA Information:Failed
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe

                                                Warnings

                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45, 172.202.163.200
                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target Y7iJlbvuxg.exe, PID 2800 because there are no executed function
                                                • Execution Graph export aborted for target powershell.exe, PID 4196 because it is empty
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size getting too big, too many NtCreateFile calls found.
                                                • Report size getting too big, too many NtCreateKey calls found.
                                                • Report size getting too big, too many NtOpenFile calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                12:50:05API Interceptor51x Sleep call for process: powershell.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                199.232.196.193CF537GfmKa.exeGet hashmaliciousFunkLockerBrowse
                                                  siy9g3WGCc.exeGet hashmaliciousFunkLockerBrowse
                                                    SjDqoVVmzX.exeGet hashmaliciousFunkLockerBrowse
                                                      https://heuristic-knuth-588d37.netlify.app/?naps/Get hashmaliciousHTMLPhisherBrowse
                                                        https://freesourcecodes70738.emlnk.com/lt.php?x=3DZy~GDLVnab5KCs-Nu4WOae1qEoiN9xvxk1XaPMVXahD5B9-Uy.xuW-242imNXGet hashmaliciousUnknownBrowse
                                                          https://theleadking2435063.emlnk.com/lt.php?x=3DZy~GDHJaLL5a37-gxLhhGf13JRv_MkkPo2jHPMKXOh5XR.-Uy.xuO-2I2imNfGet hashmaliciousUnknownBrowse
                                                            https://media.maxfs.de/Get hashmaliciousUnknownBrowse
                                                              http://synthex.cheating.store/Get hashmaliciousUnknownBrowse
                                                                https://report-scam.malwarebouncer.com/XcUR2TnV2VTlXT0s0Z0NYa01KSGt3dUtWMWNiblBrc29mMlpZUU1WdThBSjdDdTlRQTVDV1ZZd0pDeWRmUU5rQ1QvVDNiSlBNYWd2bTd0eTRkZW5jT0hrYTBKWHFiVUc4TVZBOGpiNkh4VG9OTm9zNTVUWHNmNWVydHpqbzhIc1llSzdzTHZ0dENVNWRLZy9BbCsyVDRMSGRHOThUWnV5QUxPU0RZL1dPalNYTmUzMTVoRzl5bmk1ZVZRPT0tLUdVYnJkMC9GazI3MWlxYmotLUpFOURyOWkzK1l6Vy9BYTVOVDBVNkE9PQ==?cid=2346401253Get hashmaliciousKnowBe4Browse
                                                                  https://pwv95gp5r-xn--r3h9jdud-xn----c1a2cj-xn----p1ai.translate.goog/sIQKSvTC/b8KvU/uoTt6?ZFhObGNpNXBiblp2YkhabGJXVnVkRUJ6YjNWMGFHVnliblJ5ZFhOMExtaHpZMjVwTG01bGRBPT06c1JsOUE+&_x_tr_sch=http&_x_tr_sl=hrLWHGLm&_x_tr_tl=bTtllyqlGet hashmaliciousHTMLPhisherBrowse

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    ipv4.imgur.map.fastly.netCF537GfmKa.exeGet hashmaliciousFunkLockerBrowse
                                                                    • 199.232.196.193
                                                                    siy9g3WGCc.exeGet hashmaliciousFunkLockerBrowse
                                                                    • 199.232.196.193
                                                                    SjDqoVVmzX.exeGet hashmaliciousFunkLockerBrowse
                                                                    • 199.232.196.193
                                                                    http://steam.usercommunityart.com/filedetails/sharedfiles/id=319248110/Get hashmaliciousUnknownBrowse
                                                                    • 199.232.192.193
                                                                    https://heuristic-knuth-588d37.netlify.app/?naps/Get hashmaliciousHTMLPhisherBrowse
                                                                    • 199.232.196.193
                                                                    https://freesourcecodes70738.emlnk.com/lt.php?x=3DZy~GDLVnab5KCs-Nu4WOae1qEoiN9xvxk1XaPMVXahD5B9-Uy.xuW-242imNXGet hashmaliciousUnknownBrowse
                                                                    • 199.232.196.193
                                                                    https://theleadking2435063.emlnk.com/lt.php?x=3DZy~GDHJaLL5a37-gxLhhGf13JRv_MkkPo2jHPMKXOh5XR.-Uy.xuO-2I2imNfGet hashmaliciousUnknownBrowse
                                                                    • 199.232.192.193
                                                                    https://media.maxfs.de/Get hashmaliciousUnknownBrowse
                                                                    • 199.232.192.193
                                                                    http://synthex.cheating.store/Get hashmaliciousUnknownBrowse
                                                                    • 199.232.196.193
                                                                    setup-avast-premium-x64.exeGet hashmaliciousUnknownBrowse
                                                                    • 199.232.192.193

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    FASTLYUSCF537GfmKa.exeGet hashmaliciousFunkLockerBrowse
                                                                    • 199.232.196.193
                                                                    siy9g3WGCc.exeGet hashmaliciousFunkLockerBrowse
                                                                    • 199.232.196.193
                                                                    SjDqoVVmzX.exeGet hashmaliciousFunkLockerBrowse
                                                                    • 199.232.196.193
                                                                    sZSXKXOnBw.exeGet hashmaliciousUnknownBrowse
                                                                    • 185.199.111.133
                                                                    sZSXKXOnBw.exeGet hashmaliciousUnknownBrowse
                                                                    • 185.199.110.133
                                                                    PDF-523.msiGet hashmaliciousAteraAgentBrowse
                                                                    • 199.232.210.172
                                                                    http://steam.usercommunityart.com/filedetails/sharedfiles/id=319248110/Get hashmaliciousUnknownBrowse
                                                                    • 199.232.192.193
                                                                    https://heuristic-knuth-588d37.netlify.app/?naps/Get hashmaliciousHTMLPhisherBrowse
                                                                    • 199.232.192.193
                                                                    https://terrific-metal-countess.glitch.me/Get hashmaliciousHTMLPhisherBrowse
                                                                    • 151.101.129.44
                                                                    http://procustodiavalueslive.github.io/mediantime1db1d62ef90e6fec5644546bc086f16336d68481479f56e29285a338fc23/Get hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                    • 185.199.110.153

                                                                    JA3 Fingerprints

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    3b5074b1b5d032e5620f69f9f700ff0eCF537GfmKa.exeGet hashmaliciousFunkLockerBrowse
                                                                    • 199.232.196.193
                                                                    siy9g3WGCc.exeGet hashmaliciousFunkLockerBrowse
                                                                    • 199.232.196.193
                                                                    SjDqoVVmzX.exeGet hashmaliciousFunkLockerBrowse
                                                                    • 199.232.196.193
                                                                    rii2.mp3.htaGet hashmaliciousLummaCBrowse
                                                                    • 199.232.196.193
                                                                    sZSXKXOnBw.exeGet hashmaliciousUnknownBrowse
                                                                    • 199.232.196.193
                                                                    sZSXKXOnBw.exeGet hashmaliciousUnknownBrowse
                                                                    • 199.232.196.193
                                                                    v2.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                                                    • 199.232.196.193
                                                                    c2.htaGet hashmaliciousUnknownBrowse
                                                                    • 199.232.196.193
                                                                    E6wUHnV51P.exeGet hashmaliciousDCRatBrowse
                                                                    • 199.232.196.193
                                                                    resembleC2.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                    • 199.232.196.193

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.funksec

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Y7iJlbvuxg.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):249
                                                                    Entropy (8bit):7.079185415873493
                                                                    Encrypted:false
                                                                    SSDEEP:6:a2KBevcnhj4RaOSVu488dqaIt0ToqxoUjqObYoMnEVRG:0Be0hhLVbsaf97/PG
                                                                    MD5:F000895F874C8A7B124F1C79F765C82D
                                                                    SHA1:E0EBFB0E2519BAA6011172B3B7D6A43B70509594
                                                                    SHA-256:903F397469B308B2FBD3585A05A8F58FA85C67C6E5D481CCB1393C91AB0C56C2
                                                                    SHA-512:826F0560E0DE7C9AB2E818C24F3C4D1847548B69060D9C10178C1BD45AD61FE5D6ABB540E1A6321CD9DFAF06CAB76DEBC8D5A45F38264A96F9A7121EDBAC380F
                                                                    Malicious:true
                                                                    Preview:g<..1._K...8J.f.c]:2.p.%v.eEz.+...$C$...0..q.+&....n.'K....QA.w..gfPaE...o.D.Mi.}..JT.0..s...yU..q~o.-4..K..NG.gPy..A<%.|.;.K.^.s.uU.6.,@..W].....+..B%.2l.......M.......j4.LM ..5...PI..#.. h.`...OTu..G.4+5......$...M.;-........q.....p0....

                                                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini.funksec

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Y7iJlbvuxg.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):249
                                                                    Entropy (8bit):7.161475476097081
                                                                    Encrypted:false
                                                                    SSDEEP:6:a5bLgWXfv3tNDRqgwe76cx8CXExq6VSro9Fm9rDNjG8BE:IgWXHtNlXwe76KQS89I98mE
                                                                    MD5:D7E42366F784647B8CD3CF1F60D19FB6
                                                                    SHA1:FB9E95D5C70C1C4B9EF43BF9D8F590AC4B9FDE5A
                                                                    SHA-256:D3E0E7F9D1724670439230A74BF6A9F3CB5528BA71DCEE1BD76E82F60A170EB3
                                                                    SHA-512:4BF38AA3054BB79A8ECE385C014FB99C48EDE11C01FF3584409EE9717341925C319AEB7CB825128DD08CD74496144849E841DF96BDF771B431D8F777783003D7
                                                                    Malicious:false
                                                                    Preview:.>....n..A.HZ.W0.%...Z..Gu...EA.<........l..-.....*.n.2..rw,..OR.+..........MB...T.".....@..O . e.._j.A.u<...C......u...:o....A..I).g.:!.1.G..}..g....O......7>...LZ.....[....].U.`.E#........a|..4BC..../U...x..7...64*U...c>......JH......

                                                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini.funksec

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Y7iJlbvuxg.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):249
                                                                    Entropy (8bit):7.074689771380466
                                                                    Encrypted:false
                                                                    SSDEEP:6:sFTwfi58DDdaA7mPH14flunOfHbxeHKFKFCsAt:slKQA7mf13nOjxAKKR8
                                                                    MD5:2F4035D582C4FA9224EA467DF63A6043
                                                                    SHA1:1D77924D5DA03E7B5455EFB123C50740AB7CFAB5
                                                                    SHA-256:BF43139F44EFE14C416940930CD3E7D4977540508F27DAD0B34081AB1364A333
                                                                    SHA-512:FD27A11267355C633B52DCCD5E354E9F9D79DF97B48A00EAD37D4EDCF043B4C87236BF811C250DAAB6FDA6BB5EE45CE7282D3AF0F0EB4D08F2A9E06F3D8143B2
                                                                    Malicious:false
                                                                    Preview:..`.6.G|..z...f.l.s=..^.....!.w....<...p.r.E...0.....AO.^'...5..{.;.@.q..>6.....}..~ol.hm....:.VOY.!...*.,S.}2..F.T...m>M.|nZ.g..,Y4...,...k....;.ei....vD.\...8.Flg...!J..,.Vg..s..vV.5........qV.....u......e=a..6..-.+\.[..WsQ.#:#w.e..4..

                                                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini.funksec

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Y7iJlbvuxg.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):249
                                                                    Entropy (8bit):7.029528677011643
                                                                    Encrypted:false
                                                                    SSDEEP:6:RUgzMvo5U9PUHNxxbTfp/3f1UVxUdMr435t2GX:RU0UIUCtxxfp/PuVmdMGn2GX
                                                                    MD5:B6859B7F856E0466BE134A71D855540E
                                                                    SHA1:B822C35BBC2E21547548E9408626D407EA6CCA3D
                                                                    SHA-256:EC785241205D5852BFF2733491DC6BEA51D8EBE200D3A76BE654CD825A8EE91B
                                                                    SHA-512:DCDD22FA219AA5D0562BD38A848999511E108A0F7A4BA13B3A6B78678DC59C9976E5A174EAA357BF71D2F901935542D6858F55EFB071E4988D24D306E104F940
                                                                    Malicious:false
                                                                    Preview:..M.r....5..=wv....m0.....S..<.-.g{#...\-.E'..v.+Ev....0..".et....v.x{...3...G<*G.7$\.L....v1v.J.0...N'+........R...(..@.....,...'..e5....7..2...BM....'..P...9d.R.@_.?hC...'...[<o..............!..7.Y..\.....o.+aS.....l.G.^.n.(.....0......5

                                                                    C:\Users\user\3D Objects\desktop.ini.funksec

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Y7iJlbvuxg.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):466
                                                                    Entropy (8bit):7.408450417555172
                                                                    Encrypted:false
                                                                    SSDEEP:6:sjRAIgf0CDc5z2cMzl8Li7rbHDxEHgrjlpagMQl58ZXEqD4K+hiiduv5wsnaz169:stAIguz7MzlOAjxDzIaa6hXZn169QHMp
                                                                    MD5:8FFCCC8BB53AB57BA36343C73D65DB7B
                                                                    SHA1:23010ECCA50ECE5D595E215BD41826519D265419
                                                                    SHA-256:65F2DC1B4F9DA102DA084EA4E9CFC4896C4129E5F0B7CAF00D5D3CF4B7CDCEAF
                                                                    SHA-512:706CC1908255510CB75AF2247212CBA3C2030959352D1A979835F192D2268F5882AF1A13561C73FF899BEA52F6AC766ED312C69E2CAAF8545E086B13EF658304
                                                                    Malicious:false
                                                                    Preview:.0.8.)..~....l.6.H.....,?<.:..[....QNg.4a.....8...uq.UWd.Q,^.......v.v...]r.1..u0....^JJx...[0O%A(NB}k7e.>......._..c#.Ny...G....$..c. Q*....5%2..q.+..#.y=t.B.2...(_F..H..3..;..=.x..:nz..N.D..L(.&w..I5...0...+....o..R....hd..},........m.i...Br.1..t0<...^.JA..=0/%.(.B-kceM>..F.....Y..c".iy...G....$..c. QO...?%5..y....#.y&t.B.2...(UF..H..m.M.:e.%.....}]...EkiF...A...0d..E..fBa..S.5@X..l...d..g,..........i...Ur.1..*0p..^.J(...<.....m..`..|0..

                                                                    C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.log.funksec

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Y7iJlbvuxg.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):24
                                                                    Entropy (8bit):4.418295834054489
                                                                    Encrypted:false
                                                                    SSDEEP:3:5gwbhKAMIsn:+uhu
                                                                    MD5:C03293EBE4D2A8E1B746F1AC738A6F73
                                                                    SHA1:ECBC725613A4695FD91000DAD31ECB04C3B6773F
                                                                    SHA-256:288A19EE541943757E8166AB5EE4400C473816BF9F50A8C8A3AA8D6E4C09F92D
                                                                    SHA-512:10CEA6488052333A380C2112C38E6E29343F3A050EBF46827162378CC11CA52B1D0F4F6846362FD4A3F07807927713240A809D43E73C81BEBDAFE03F6EC91096
                                                                    Malicious:false
                                                                    Preview:8......>C6.{.J....-..D.

                                                                    C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\000003.log.funksec

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Y7iJlbvuxg.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):24
                                                                    Entropy (8bit):4.501629167387823
                                                                    Encrypted:false
                                                                    SSDEEP:3:iCF2A7/Jn:iCBLJn
                                                                    MD5:C2118F45116AE860A7512AFC6C8133F4
                                                                    SHA1:556608677DEDF848232DEA37E31EA6F0575C65E0
                                                                    SHA-256:FE499A171919F3B9B4061920DDC4E1376C48EF42F300689D7221481BCA2B5783
                                                                    SHA-512:8131B206863A5E33A94BFCC5AAA63DA35BFEB43297C018898A5018FA1CC31E1B4EB060473A9AB313E47A7A1ED8A99850516889F7BA90E383F86F22D925373C6A
                                                                    Malicious:false
                                                                    Preview:..'.b.........t...%A...

                                                                    C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json.funksec

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Y7iJlbvuxg.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):700
                                                                    Entropy (8bit):7.666174397626042
                                                                    Encrypted:false
                                                                    SSDEEP:12:sZOV90spYij6zXWh3lLVoNuxZU4P/XWG9e/MR4FjM/uX8ZBo6A:sZOV98iuMKNmU4P/GG9eU6ZmX/A
                                                                    MD5:10DE307D1CE75C171D5C5F31C2008819
                                                                    SHA1:DE632E9EA6DB5FD08D39D7D67545C3E17185C9B8
                                                                    SHA-256:C94016494E31C95D497D94336CAF7DF987C8D0F514404E470DF3814F836CD562
                                                                    SHA-512:5D0AD42E261AEDFA32A28436C8A6CD499B1600E7A20CAAECD455541F83E0E26F8FC050DE7A10FCE3D43F0E0117E36D51C9D270D9DD099775831B81A3DED8819A
                                                                    Malicious:false
                                                                    Preview:...E..........P#B....;.'........II7O......rmfO@9...to-l.:6.9.!..e.b.!O.@r."u$..2..:...`.mW(O.h.P..)...V.....I..s.x.>Lp.u.......h..2........|..C7.-b.dMr.prr].{..R.L.[^...SZ...I...M..V..Q..cF~~Z...5.a..q~!oL..`5.t.....89{--.8....D..w..h.'O.VD...*.&.......`..WYG4M.@...:..<}...Q.'...a.Q..4..zz.o....Z..U..+r..k.q...C7.-h.8H..@bz^....~.~l.U...}=c.R.D....1.@..Q....<......N-._..T.`e.?s,i..X.DMb&N..wE1.w..=..r.;I.c...+4v..F..<...u.mWYG6g.D...O../_....=M..F.....@.rJ.m....T.5..wG...).....;..8W.9vz.p}Y~.E...t.!.hs...~......Ja.%..&.,q.g..{tB.......w.E.S..:.....u{`b.{4.&.j....g.#P.GB..>/j.9.........~lr.S.F...$...R..S.0...W.M...E.cC.f.....1......^.....S..8.....\P.{he....

                                                                    C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log.funksec

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Y7iJlbvuxg.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):446
                                                                    Entropy (8bit):7.542316527647567
                                                                    Encrypted:false
                                                                    SSDEEP:12:9aMzjyH34FQ7ludPqXSqHrADZdg29aK16IFT5DU:9aMqHn5uNEhrm9bTFlQ
                                                                    MD5:70345F720280BBD051AC983847340D1E
                                                                    SHA1:F4663F55CED4A892C3CC7C1B4EDB4C8DB7164FFF
                                                                    SHA-256:91F0E728BC50A8D3F223BCECB8294ADB13B8E84FE5E68ADE73F05B5DD99B823C
                                                                    SHA-512:AEB50CA31542D8C54439AA98CF73C1443D9F38703ABD9DA0C4E4B03F6CA0F9E81313A79E91E83CC74DB13443855A717F23F13EB12BF799D94E65FCE338F47B28
                                                                    Malicious:false
                                                                    Preview:',.Y...8..i._S....n.uv..S./..wSFE.....n.|>^..a;E.&...HU&...+.-..."..4...p.Je../f...z..*..M>d..-Z.....i..`.,.... ..jK...S{.tU.~.p......<..]y..4....E..l..I.t).?[.H...U+..$.qMKU...&p_...j/7..;..|...R.lMX...v_.5...3r.K..;;.{..W\..Y.M.Q..F..)..?|..(!...d....4QN.....4.A...j..k.I.`.bA...Af..x.i.....q..S.\~..]/..3.......=......xx.>5TD.T..?..h.0.B..bdfb-.+..J................c.~..P...\s.Lz.+....W...H.....M..@.h..L".|......]...yM.

                                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst.funksec

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Y7iJlbvuxg.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):1737
                                                                    Entropy (8bit):7.87546341932778
                                                                    Encrypted:false
                                                                    SSDEEP:48:KItoz5lndJPxaVJVao0rQ5ZGdQSymQnBSsAHF/u65Q8e:KvtdJ4JL5ZGomQnkjHFWUe
                                                                    MD5:86CF378DDC1D24F302E069F8402DA507
                                                                    SHA1:57DD88AC95A0386E9505A02A462BFC01170B91B8
                                                                    SHA-256:789172EF8BEC221FF83FCD94E82104845ED5320ECC6586DE771329BE545CB0EE
                                                                    SHA-512:1850EE819E7A46B6217694706760F40CBC53AA3746F3EF3A2A84AE5AC7D24D574DC2F80C59D6F9AA00585A9F1998E7C9674F93A1D7CF66010A5B5139CC3326E2
                                                                    Malicious:false
                                                                    Preview:..VEB..|bt<....)).gX."......2.Dv:...?..f|...w ....*..(.<>.;...."....`......,.$.:..)|.?........ ....U.;..!.9....,,7...#.O.........0h.*L.m.....l..)r........p.n.D..F....V.l..i..6.X.!g...D..C.B.NT.......5..^.....,..!....n..5.0K..\....).wA...*.l....6.a..Lz6........Q....<V....... ...?.F7........!;...<m.....o...,.S.....[.z.S.]...1W.Sj.(...E..... .g.t|..T...|[.ym..FNO!......S...*...F....m.7?.T5...1.......yI...5.....20.t.=@4..........M.:..U.|...(.$.....F.......&.2;.._.]...2.N...d.......Y.a...C..f....9.j...-o#.....e.....q..]h..mE.....[j3.../g.??e.~E.....-%.7Q..:.9..%...t...5.;...=!.Z..N8..". ....p.... [.......$...).M..........0...J..o..f.G...[.........'.6....."#..$3.j...B.V...Yi`J...-..d..O/..B..B."..I....E.o...h....n.6..0K...8....z.CM...>.7...46.@..U...........y./..>QG#..u......)9......N.1=..';.1..9.;..3$.&....t..`.k.^..k....9.]..rT..-.o..Y-_....#~=$.2...%.`..s.@g..~.A}....|..d.n.9<_.V.......%.RZ...g....."+.t..}.=........v.r...>;....=-"

                                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst.funksec

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Y7iJlbvuxg.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):254579
                                                                    Entropy (8bit):7.972884281315443
                                                                    Encrypted:false
                                                                    SSDEEP:3072:SlUHYyI0EpQcSV5lEk2NdXq5Uxl7fnzWo6pftj9ZS2fOVvWEOWqqKuMABJdtSV5f:0ef5lE7EpVJbEWqratXjtBOBol7L
                                                                    MD5:0D1A44B46038DA719D65E3DE1F0B6F5D
                                                                    SHA1:3C243A1FE75131DA7B1FF94717C158400642121E
                                                                    SHA-256:985DA55DC0DAC23BF4CAACDCDAC3DA5E97C66AC1A0ED8FF922AC9F8B925B8FE2
                                                                    SHA-512:2CADF9E4B22FFFDEE7E909E7319236A9D2BED8083EFEC352B166068F2F6F73205649F74ED6EF1C9620C32F09A10A12F22DAD67B343AA50687D372AED89145719
                                                                    Malicious:false
                                                                    Preview:....<..`......NX.]hG,#.*i.=;.l...-.L.h...1..v.&v......h....d....:.....P............=..J*ia......~......Dt.......G...{.%.p..].........d......).>..UQ...9.=..g_`q0.n.T=7..`j%....#.2.w.1.>o..U....o>..E.D'.G+........*.J...1......r....1A......#..o..%..pR ....%.....1.y.....Mx..2.2.........>.G..^..........Y..$9..'.S..Z7..#.D8^o .f.VT..~}fd;...9..G..g...7[.4V</.^.T..j.Z~...S.R,..0t.h.}R.4..c....n.<........0..a...PW)..N.....;.F.....MW..{.:...F....).$..'.........T...Q..,-..(..WQ..~<.4..*snx'.v.wE|.cl.D&..).....4."LI...u..1bp... .p!].~...........+...'0....x:4.......D......H.u...NOu....7.0....LW..{.v...M.......j..H...,.'.....i...8.....bZ.X...?..i\}S(.j.p`..wO.....+.;.A.....K.M.F.oA....jvZOVs..n6.p....x..[....M......>.....?..*..a...T{$.Ib.(....!.q......Fr.3.....a...K.@.a..E......X..d......-..S..wF.Q7(.;..<..[<.c.Pj...il2U-.)....d....eU.....bcXl.O.u...#.7..mB.^...."...I.....&.'...#.#..~.....YT6..4..+......B.....Zx....<...

                                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst.funksec

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Y7iJlbvuxg.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):14984
                                                                    Entropy (8bit):7.961208915758901
                                                                    Encrypted:false
                                                                    SSDEEP:384:UCtVoCdruR8jpEALwy6KmBMYxjaQl1aiDAEu9vHl:USWCV/jN61x/1aMAP5Hl
                                                                    MD5:156A1146B21D0CBF899CD466D3818E2C
                                                                    SHA1:49395CF9A3657201351B03ABBBC1C92C2B9C7A67
                                                                    SHA-256:80BDACADEFFD8FEF54CB44AEA35D0105577FC7E018B0DE7516CA8D1BC7B73497
                                                                    SHA-512:73B47CE60AE4B2E40A580E6038E5342E7FDCD9BB7D3F23EA05DD6F2B8597DF1F3F34BAB02C0C0ABFB18846B04497412580766413FE816E30B933310DA5F45E96
                                                                    Malicious:false
                                                                    Preview:n...........l...l.&.._+..}.hS.$.Z..e5[Dh..2..4p..Mo.6...b....7.......vdR..d.:.%..R&Y...S...c......*.+..E..,.(....d.A......}.E......y&.+<..Lz.O/......0.0.k..}.ue...d....nz...,rP/..q...g...=.K.).F.'...%........tx...]..o..j.....)....n......?;.....8.+.Zt&5...................`..1..3O..L.V......D..5.>...g7.....L..B:.......m.v..7.Ysjo. .s..t.3*G..h.?x....oa.PU[.:.k.,jG...I}..f.O.h..E...)#.h:f.2....)..........8!v......4.$^n.......O....b.+..7..D.....M,..`.R.....v.& .O..)l$.....|x.A=2.0...<.#.V..[bNt.~.s.#.;Q..*.A$....K.T...zf8....5(}.N ...........O..:.U....".......t.......3o?.>...4...Z....6...C......&..C5.}.-..5...S.R......l.;-.4...e&.........if.9...:...r... .2.E.. ..g.o|0..*.?x.......b....V....G..9,.E.b.%V.. V.4 ..o.....H."....n.......l........?..Yx....,...u...Q+.%. <.Q.3.V.,..=.q....2.J.(=....AH'.....4].\69.E........@4.v.hu...s....Oy....,i...+..oAg8....fN.@.9+f.....$ .H/N.}2.....^.......(....s........3.=......f.#kN.......b...7=....$3.....*....u.T

                                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat.funksec

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Y7iJlbvuxg.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):312178
                                                                    Entropy (8bit):7.792720810619171
                                                                    Encrypted:false
                                                                    SSDEEP:3072:wkA5bJfHnVkf220gwj4RG1tUITxxi5DivO05SAYJ:VYfHnQ220XkkXxgfAYJ
                                                                    MD5:550855FE8081592582452A3EE26F08FC
                                                                    SHA1:F2FB7274E6A3CB65E31DF255F3B6E3F51FA65536
                                                                    SHA-256:FCF68B9BBF71B3331BFAA54FFD32BC8F647017B6EA6AC50359F76D3ADB11C7A9
                                                                    SHA-512:DB5E524D37946B9D4A4E120C219E33D545FECB6527006F61AEAE5A4C9316C5DA80D14AB3A93D2C7E9E0864496974D243917B12FA3032621C60B2D7F965E830DA
                                                                    Malicious:false
                                                                    Preview:...7.....*..W...{.?....7....G>....M+J.{.P3.....\.ub.x)....a.NjO..(Ta..i...h..:........z...T.g...E...5...h.\..S.......-../2_...R...-Q.y.m.V.."...E..!....."{....#..".4..tn......~,....II(......Y-W.d..k.H.....z_F....... q..xjM....n+,..J5.......H.......".'%L.'.g5W.......L....D.Q.p.......f..dy....R...=T.y.m.V.."...E..!....."{....#..i..qe?%p...X.......2@..............S ..d!..V..[.....8...(..q`...H{%`gO..~.......E....".'%L.'.g5W..........LZCD...p.....f".dyO...R...v..).&....i.F..`.!....."{....#..".4..tn........L......{.en").%F@.FU..{..U..n%..]....~......2....H{%`g..J5.......H......."..l5..l&,~.X.U.......LZC....;.6......f.dy..LH....=T.y.m.V.."...E..!....."0.e.Yh.#i....tn......Y4..d..Ncjn%.2..b..s.m..<....Y....2...^......M....n+,...~.......x.......".'%L.'.g5W..........LZCD.A.p........-../2_...R...v....&...."...E..!....."{....#..".4..tn........d..F...:q..1/...L..=T.<|.*.4_...c0s.M....-...H{n+,..J5.......H..........l...l.g5W..........LZC....;.6...

                                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json.funksec

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Y7iJlbvuxg.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):3946
                                                                    Entropy (8bit):7.9241878044734735
                                                                    Encrypted:false
                                                                    SSDEEP:96:3JiV66OjEAg5sEs+wRTsmXAr3RlAxsn3C8H:q6NeCE1mwr8+n3X
                                                                    MD5:91E18A66472B17F8296BF2AE130573CD
                                                                    SHA1:26D90B8377FA73E49C2851CD406939214A94C854
                                                                    SHA-256:AC0288FC716B1B960E952155119EEF7EC979673DF27852E3BAE06B53EB7D28B9
                                                                    SHA-512:E7D15F73314DA5343CD6C82869F3500ED4CFF0DF438F0445190FB2D12D7B2680184FE8C6C3E43B5F6AD83A1D39B8EDB7C78A1BAAC164B3957AED23EA05E7C966
                                                                    Malicious:false
                                                                    Preview::..dH..`n..s.^ct%\......U........l.L.A.P.?.}^...AI-.w..\Tu(<....Cn.z.FU...[.....1....T.....MO.....%.........r[|W...-.1...,.p../...o..d..9...{..{......b..e...\...].......q.t.s.5.d......u*%..y7...F...OMo.....X...B....{yM.pn.u.ZDr"(8..[.~]'...W...1......xe......K......rG......!.:X.o...m.......I....=...>.K/...I7..*M.......f...M{....x.(.~.{.{..vOie..p[.^YQ.8....Usk. .MN..K=OC::O.l..`......7.z.LP8;8wU.M.c.x..dn...w.........m......Q.....&.......!.}@...!.m...{.:..>..\j.d..d....i..sU....e..R...K>..@.%.&...|.:...sM....B.....0..)pF.B.c....5..<.....'.......i,!.f.}..\t,n2[...>.z.......*....N..yoX.....G......."........).}..~.;.d....<.e..a...1..).K...I5..$U.......2..Z?....y.~.r..).(..#;.1...K wx.5c.b.p....0v.Pr..R..P..)E.....z).O#.9.LD5,K.+.|.Sr.m.ct...R.....*....~.....SJD.....i.......,N.S...{.m...,./..t..Tj..2..q..D{..I4.....~..A...q...d........[.Q..3.R..P..}Z.$..2M.,.i.#;B.. ..D..M..9.y..].....r.9.A.jZs%....aD.M......v.....U..9~......C......6]......&J'

                                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin.funksec

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Y7iJlbvuxg.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):91806
                                                                    Entropy (8bit):7.9629566362634545
                                                                    Encrypted:false
                                                                    SSDEEP:1536:DuFoQmerMiQvKuWlfMSXG8o5jGQAzmAh8lMCtw+2Y5QS1LlwNzd:CFroiQxWlfMSXG84jGQASy/CtCYyuiX
                                                                    MD5:3AAE6F96595146AF2D38629ADB9588B8
                                                                    SHA1:923962DFA0018367C35434D1D83E8E650560EB69
                                                                    SHA-256:0A60DAA93724AB7FCC069DDB2827DF8164FA4C0AFB5A0585FE49B887B31A0DB3
                                                                    SHA-512:467444EEB1BBBC36516B6615197CB3955B3DD000C964F19F0F5B0C6F048CE04311895A6CCB32A047BE9398B9A5A11626D38FBE5DF0181CE347FF3345171D4932
                                                                    Malicious:false
                                                                    Preview:..7H U.l.m.8.....991.wB......mJ..njW....$.........h|2......./.q........&..g.h.M..F#)..?.a.....bw...y...'eu... n...r..e....2m.^&.X.Y.@..&.?..........L.,=]7!F.+.z.....c/d.:Fsz.IRL2...0.@A.3........2O..z.m....U.\.K{..y....,.P......./......N.l.Hm..h.M..DG..F.#...v.2......Pgd.....E..=4...e.....vC.dI.^.{.z..C.f...'...S....RR.j+..K.z..%..c.".{!..krS..5$./.0.>..P.1.)UY.1"...F,W..R..<...q.....)..S../@8..q.BAop....T.2D...h.....w.2M.....m$.P...R...."........@..)&.e.{.v..C.\.K...;....h.h.O^......m..gP..!5.Z.wS.S.R.b=,.Wu.&.5.......gQ.T....|.H..57m].|........./....7...&0D]......f6>..k.W...bw...v.6..V....A...>..e...T.2m.^&._..z.z2.C.[.....S..*..a.b9|.*.J.G..M'..A ..k.j.A..&.A.!.3..^w5N...0..7.....z=M(.....V...)........J...E..Y.Hm..h.M..n% .'.Q..4.^)......Zee9.... d..p..e...V..+..T.>..5....4...s...~.M0.R.n.N|.*.z..G..|C.5@df..V........?r)#A....L.>...e...a....r0B..S*...%u^......N,Q.....E..B.Dc....W..k l..'.J...L.2M......Wee9.... dP.

                                                                    C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst.funksec

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Y7iJlbvuxg.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):862
                                                                    Entropy (8bit):7.648602179802432
                                                                    Encrypted:false
                                                                    SSDEEP:12:Ucu410gMH/RkBZhDdLkAZ6ACUhlrP46cWF77POYRc7n9G+UGZxT4mIak0gM1UneG:F/07gDyAEnsBcC7LjYPnr3pKneVpHi
                                                                    MD5:8B843D9CFFC3F619E05291C2F57EA9F4
                                                                    SHA1:8E620C4E39870DEC20E60139CF3C0D9C1CA7C518
                                                                    SHA-256:B0A50CA718C689F5736F019AC65D2736CE47120F6899540CE2026A91926DD487
                                                                    SHA-512:61F076383A94993722D59660108BEAE44E6B8955B66C463B34BD1B3EC0E32D1851A2462E520E0B1A6F7D7D2867D02F4A6B87C3FE78B19E63A7C0DFE45CB84C13
                                                                    Malicious:false
                                                                    Preview:..O..O.....J98..&2.(&....J......E}.'.xi.r..ZG...r..D.O....._&..A.:.<..&.+.Y.o...Z&x....K.e;..p...A..i..yB....b....}].O....-.!....r.......7.MH....*........>O..N..Q.m`">#k.7^*c.8.G....,....QUC.E..O..3.u..,...d..R.+$...Fr.6-......._rN...8.<.....6..{...=qZ.y..R.zl..b...V..[...-...c.na..!>.#..CE~.n.5...........75MH....*........>M..<.I...@@_o..Q1.d.8...m.......B}.........}..._..Y..j.{ji}*0.`.9.........._&..A.9.<.o...6..{...Z.;.C.%..L.....Jw.?....,...'HT=..OZ.T..0<.......llc....RG>....X.l..3..R"..o.(k...20.q.4.......)..Al..Jf.m..g.*...?@.....X.07......i....9&..F9......W&..A.8.<.o...6..k..4z.......Rl..@..$.]...-....gna.DM.#..CE~.|.g..?UI........|H....*........y..y..9..vmmA).Q1.d.8..u....O....V]..]d...\..OW.X..............[@St......_&..A.8.<.o...6..{...Z.;.C.%..L......$.[...-...c.na.......>.%..1.Hz`.......)k.R...w5......I

                                                                    C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db.funksec

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Y7iJlbvuxg.exe
                                                                    File Type:data
                                                                    Category:modified
                                                                    Size (bytes):1441816
                                                                    Entropy (8bit):7.480085924377971
                                                                    Encrypted:false
                                                                    SSDEEP:12288:GfhvR0U8wUFQoniUWSxenOnW/qcp1pvpLtDt:rRFRiUWv5ppFt
                                                                    MD5:C60815381326C31B47C6202CCD85E252
                                                                    SHA1:A6227921D896F3ED7F4619B69D7704DE195CB7C1
                                                                    SHA-256:2326BDCC2D349C17B2AE2A95DC4AE1BBD7FA9CCE472ED53EC414B18670462258
                                                                    SHA-512:2303F36EE3183FD2E5686F6F94595CF69E36927B61CBFA0350C2079B3DFFEEAA0AE32B01ADDE294A8CBD58FFB674F605BC8CFEA520641D2AE0672ECADF71905B
                                                                    Malicious:false
                                                                    Preview:..,3y2x..>4.\R.Lf.r.}b...XAk...hm#../..,.....^..2.'.j?2.... .^..j!)..Y.u.x..7.......y...K.+.{...W..*. ..~.....\|4.......Ig..1\..,6F.^.@...U....@Un...........ul.6..H...n.v.q.]..qZ`.h..@W.p....4...%..k>0..WE%.O.s..w..........V..f..M.."...u.z..........y...K.+.{...N..*. ..~.....]|4.3.....Ig..1\..,6F.^.@...U....@zy......x.....k_..1.....g....9.-'.....2..pC.e..e.?."..'.hq.,iO.._E.e..DTv....%^......3..y().....z.m.........d8....._.....>..^.I...n.]....}(uS..$...94e.E5.._knP..0..B...H..."......O..,!LIc..B.....}....$.66B.iK.|m.n.....5...6.P.3.o..c.a.m..Ea....$....o>.........Z.....R.s...{._...UU...$.D.J......~....7......8.G`_.p...<.o._8..sw6{..4..q.&..].0...........db)(7p.......j.....6V...JX.i.d..r..B@...l.K.}.F.-...Y..>)*.4LO/.....=....`<!...0|.B...a.....s....%.h.>.......o.......y....-.FpG.k...1.i.P(..Bk.E~....v.<.S.%'.......S.....s_..:........FX.7..qh)*y...dw~....$B..8...=..2..n...|..R...M.%..1.?..q:!...)v.b...y.....u....3.B.........O.a.....{....8=WeZ

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:modified
                                                                    Size (bytes):64
                                                                    Entropy (8bit):1.1940658735648508
                                                                    Encrypted:false
                                                                    SSDEEP:3:NlllulVmdtZ:NllUM
                                                                    MD5:013016A37665E1E37F0A3576A8EC8324
                                                                    SHA1:260F55EC88E3C4D384658F3C18C7FDEF202E47DD
                                                                    SHA-256:20C6A3C78E9B98F92B0F0AA8C338FF0BAC1312CBBFE5E65D4C940B828AC92FD8
                                                                    SHA-512:99063E180730047A4408E3EF8ABBE1C53DEC1DF04469DFA98666308F60F8E35DEBF7E32066FE0DD1055E1181167061B3512EEE4FE72D0CD3D174E3378BA62ED8
                                                                    Malicious:false
                                                                    Preview:@...e................................................@..........

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_10qjr0ki.50j.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1xhixh3w.oeh.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2qenxjrc.e3k.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bfwl0gw2.tyw.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eegnzqj3.m5l.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ewc23ifv.bz2.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ijvtxxzp.hzc.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iymodgu4.o2v.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jqtvj2ow.5po.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o11dh35g.4dy.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rvhanhad.dh2.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v1zvr3k1.mz5.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\Desktop\README-Nrkrlq9Lfn.md

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Y7iJlbvuxg.exe
                                                                    File Type:Unicode text, UTF-8 text
                                                                    Category:dropped
                                                                    Size (bytes):1578
                                                                    Entropy (8bit):5.264172735824056
                                                                    Encrypted:false
                                                                    SSDEEP:48:/XufmCFpWrOU5M1R7ARj7qQXPHrsATBb34W0:/4mOpu5M1WeQfgATBL4W0
                                                                    MD5:8EF3D61F17A54B4D2CFDC3D7BA139FC8
                                                                    SHA1:3DFFC0343F119980E2532676355ADAF082B21A0F
                                                                    SHA-256:E29D95BFB815BE80075F0F8BEF4FA690ABCC461E31A7B3B73106BFCD5CD79033
                                                                    SHA-512:0F42F46DC91B44022EBE00A9FF053FC2C213EFEE1EBDD415A786AB6CFCB62567B5963E5813FE97013364BCD538A9C2077F4246CC4287DD305CA388DA6A27B3F6
                                                                    Malicious:false
                                                                    Preview:.# .. FUNKLOCKER DETECTED ..... **Congratulations** . Your organization, device has been successfully infiltrated by funksec ransomware!..## .. **Stop**.- Do NOT attempt to tamper with files or systems..- Do NOT contact law enforcement or seek third-party intervention..- Do NOT attempt to trace funksec's activities...## .. **What happened**.- Nothing, just you lost your data to ransomware and can't restore it without a decryptor..- We stole all your data..- No anti-virus will restore it; this is an advanced ransomware...## .. **Ransom Details**.- Decryptor file fee: **0.1 BTC**.- Bitcoin wallet address: `bc1qrghnt6cqdsxt0qmlcaq0wcavq6pmfm82vtxfeq`.- Payment instructions:. 1. Buy 0.1 bitcoin.. 2. Install session from: https://getsession.org/. 3. Contact us with this ID to receive the decryptor: 0538d726ae3cc264c1bd8e66c6c6fa366a3dfc589567944170001e6fdbea9efb3d..## .. **How to buy bitcoin**.- Go to [Coinbase](https://www.coinbase.com/) or any similar website like [Bloc

                                                                    C:\Users\user\Desktop\downloaded_wallpaper.jpg

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Y7iJlbvuxg.exe
                                                                    File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 696x516, components 3
                                                                    Category:dropped
                                                                    Size (bytes):25447
                                                                    Entropy (8bit):7.009816137563603
                                                                    Encrypted:false
                                                                    SSDEEP:384:icpk7sPEFPLY2xiy7JDk0Ot+A+AedexytJ0e:i5NLY20y75fO8A+HexyL
                                                                    MD5:D10E302877008B2567890DE25F6D3711
                                                                    SHA1:318D25D53DCD8765D79C6CEF07A6AEA72A4BF76F
                                                                    SHA-256:EA627D5499996BDA0BDEF215B41FF4353BC9E9C6886AF45115D5EC5E170EAD93
                                                                    SHA-512:173A2F5F2357E44D9A7C7E29D089AB81CC61495830CFBD40506B66992F41652CC7691E64CB7D4597F323C4B12EC96B0B5BD61BEDE4D0A69CACDCE56D0E4AE761
                                                                    Malicious:false
                                                                    Preview:......JFIF................................C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222.....................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(

                                                                    C:\Users\user\vY0nJg2diW.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Y7iJlbvuxg.exe
                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):5493760
                                                                    Entropy (8bit):6.240261359980449
                                                                    Encrypted:false
                                                                    SSDEEP:49152:1Ew0dMICHvoBWdKD27GidOx1Sjq+WSGeDfT2bjYqCFhkFDGgvDYldWxjvbbISmEj:7cSqGcF7lZ2uGUj
                                                                    MD5:C8DD54784FB1B6CBD16CEC060487FB8F
                                                                    SHA1:AA8E0F879F1B6A0D83D2657E86CCA4B66D8235CF
                                                                    SHA-256:20ED21BFDB7AA970B12E7368EBA8E26A711752F1CC5416B6FD6629D0E2A44E5D
                                                                    SHA-512:8237A7B7142EC7155F66A8E02DE2913F17139EB0F80235376E93CD3B7DBD60F3E48D427CC5F54575B2DCBD83868407D7D534F775FF8EEC6B37CEE5EAEFAC9765
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 63%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...o...o...o...o...o.G.n...o.G.n...o.G.n...o.G.n...ok..n...o...o...o...o...o/G.n...oRich...o........PE..d....pzg.........."....*..7...........6........@..............................T...........`..................................................P.|.............Q...............S..a....G.T.....................G.(.....G.@.............7.`............................text.....7.......7................. ..`.rdata..`.....7.......7.............@..@.data....3....P..2....P.............@....pdata........Q.......P.............@..@.reloc...a....S..b...rS.............@..B................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\vY0nJg2diW.exe:Zone.Identifier

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Y7iJlbvuxg.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):26
                                                                    Entropy (8bit):3.95006375643621
                                                                    Encrypted:false
                                                                    SSDEEP:3:ggPYV:rPYV
                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                    Malicious:false
                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32+ executable (console) x86-64, for MS Windows
                                                                    Entropy (8bit):6.240261359980449
                                                                    TrID:
                                                                    • Win64 Executable Console (202006/5) 92.65%
                                                                    • Win64 Executable (generic) (12005/4) 5.51%
                                                                    • Generic Win/DOS Executable (2004/3) 0.92%
                                                                    • DOS Executable Generic (2002/1) 0.92%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                    File name:Y7iJlbvuxg.exe
                                                                    File size:5'493'760 bytes
                                                                    MD5:c8dd54784fb1b6cbd16cec060487fb8f
                                                                    SHA1:aa8e0f879f1b6a0d83d2657e86cca4b66d8235cf
                                                                    SHA256:20ed21bfdb7aa970b12e7368eba8e26a711752f1cc5416b6fd6629d0e2a44e5d
                                                                    SHA512:8237a7b7142ec7155f66a8e02de2913f17139eb0f80235376e93cd3b7dbd60f3e48d427cc5f54575b2dcbd83868407d7d534f775ff8eec6b37cee5eaefac9765
                                                                    SSDEEP:49152:1Ew0dMICHvoBWdKD27GidOx1Sjq+WSGeDfT2bjYqCFhkFDGgvDYldWxjvbbISmEj:7cSqGcF7lZ2uGUj
                                                                    TLSH:24463A22BB5A99ADC49AC0B083564B726A7134CB0B3579FF44D446783E2DAF42F3C758
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........<...o...o...o...o...o.G.n...o.G.n...o.G.n...o.G.n...ok..n...o...o...o...o...o/G.n...oRich...o........PE..d....pzg.........."

                                                                    File Icon

                                                                    Icon Hash:00928e8e8686b000

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x14036d2ec
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x140000000
                                                                    Subsystem:windows cui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x677A70FC [Sun Jan 5 11:46:04 2025 UTC]
                                                                    TLS Callbacks:0x40354390, 0x1
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:6
                                                                    OS Version Minor:0
                                                                    File Version Major:6
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:6
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:3618f5646ce04014e413d2930595cbc4

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    dec eax
                                                                    sub esp, 28h
                                                                    call 00007F51D0B778C8h
                                                                    dec eax
                                                                    add esp, 28h
                                                                    jmp 00007F51D0B774E7h
                                                                    int3
                                                                    int3
                                                                    jmp 00007F51D0B77C68h
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    dec eax
                                                                    sub esp, 28h
                                                                    call 00007F51D0B77F30h
                                                                    test eax, eax
                                                                    je 00007F51D0B77693h
                                                                    dec eax
                                                                    mov eax, dword ptr [00000030h]
                                                                    dec eax
                                                                    mov ecx, dword ptr [eax+08h]
                                                                    jmp 00007F51D0B77677h
                                                                    dec eax
                                                                    cmp ecx, eax
                                                                    je 00007F51D0B77686h
                                                                    xor eax, eax
                                                                    dec eax
                                                                    cmpxchg dword ptr [001A1F5Ch], ecx
                                                                    jne 00007F51D0B77660h
                                                                    xor al, al
                                                                    dec eax
                                                                    add esp, 28h
                                                                    ret
                                                                    mov al, 01h
                                                                    jmp 00007F51D0B77669h
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    dec eax
                                                                    sub esp, 28h
                                                                    test ecx, ecx
                                                                    jne 00007F51D0B77679h
                                                                    mov byte ptr [001A1F45h], 00000001h
                                                                    call 00007F51D0B77C1Dh
                                                                    call 00007F51D0B77930h
                                                                    test al, al
                                                                    jne 00007F51D0B77676h
                                                                    xor al, al
                                                                    jmp 00007F51D0B77686h
                                                                    call 00007F51D0B77923h
                                                                    test al, al
                                                                    jne 00007F51D0B7767Bh
                                                                    xor ecx, ecx
                                                                    call 00007F51D0B77918h
                                                                    jmp 00007F51D0B7765Ch
                                                                    mov al, 01h
                                                                    dec eax
                                                                    add esp, 28h
                                                                    ret
                                                                    int3
                                                                    int3
                                                                    inc eax
                                                                    push ebx
                                                                    dec eax
                                                                    sub esp, 20h
                                                                    cmp byte ptr [001A1F0Ch], 00000000h
                                                                    mov ebx, ecx
                                                                    jne 00007F51D0B776D9h
                                                                    cmp ecx, 01h
                                                                    jnbe 00007F51D0B776DCh
                                                                    call 00007F51D0B77EA6h
                                                                    test eax, eax
                                                                    je 00007F51D0B7769Ah
                                                                    test ebx, ebx
                                                                    jne 00007F51D0B77696h
                                                                    dec eax
                                                                    lea ecx, dword ptr [001A1EF6h]
                                                                    call 00007F51D0B77F78h
                                                                    test eax, eax
                                                                    jne 00007F51D0B77682h

                                                                    Rich Headers

                                                                    Programming Language:
                                                                    • [IMP] VS2008 SP1 build 30729

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x50a1d40x17c.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x5100000x29004.pdata
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x53a0000x6180.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x478ee00x54.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x478f800x28.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x478da00x140.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x37f0000x660.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x10000x37dfdf0x37e0007bb73cd1beb9a9fe85d47b8ba34a1a5bunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rdata0x37f0000x18c9600x18ca008bd29987fa1cbc5655925ea006774e76False0.2623004402379452OpenPGP Public Key5.390768742821457IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .data0x50c0000x33100x3200a11025ab562485b5382f7da70e543bcaFalse0.160546875data2.3778467372000702IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .pdata0x5100000x290040x2920007168752d67b662ed8e9cf858f486778False0.49995844414893614data6.4044649842942265IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0x53a0000x61800x62000351a6dd593f610cc5ee2195466725c8False0.43419164540816324data5.458047811927673IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Imports

                                                                    DLLImport
                                                                    api-ms-win-core-synch-l1-2-0.dllWaitOnAddress, WakeByAddressAll, WakeByAddressSingle
                                                                    bcryptprimitives.dllProcessPrng
                                                                    kernel32.dllGetOverlappedResult, ReadFile, SetFileCompletionNotificationModes, Sleep, GetModuleHandleA, GetCurrentThreadId, FreeEnvironmentStringsW, DeleteProcThreadAttributeList, CompareStringOrdinal, GetLastError, AddVectoredExceptionHandler, SetThreadStackGuarantee, GetCurrentThread, SwitchToThread, PostQueuedCompletionStatus, SetWaitableTimer, WaitForSingleObject, QueryPerformanceCounter, GetSystemInfo, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetLastError, GetCurrentDirectoryW, GetEnvironmentStringsW, GetEnvironmentVariableW, GetQueuedCompletionStatusEx, GetCommandLineW, SetFileInformationByHandle, SetFilePointerEx, CreateIoCompletionPort, IsProcessorFeaturePresent, GetStdHandle, GetCurrentProcessId, WriteFileEx, SleepEx, GetExitCodeProcess, GetModuleHandleW, QueryPerformanceFrequency, GetProcAddress, HeapFree, HeapReAlloc, ReleaseMutex, FindNextFileW, FindClose, CreateFileW, GetFileInformationByHandle, GetFileInformationByHandleEx, FindFirstFileW, DeleteFileW, GetFinalPathNameByHandleW, CopyFileExW, CreateEventW, CancelIo, GetConsoleMode, FormatMessageW, GetModuleFileNameW, ExitProcess, CreateNamedPipeW, ReadFileEx, WaitForMultipleObjects, GetFullPathNameW, GetSystemDirectoryW, GetWindowsDirectoryW, CreateProcessW, GetFileAttributesW, InitializeProcThreadAttributeList, UpdateProcThreadAttribute, MultiByteToWideChar, WriteConsoleW, WideCharToMultiByte, CreateThread, GetProcessHeap, HeapAlloc, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, GetCurrentProcess, SetHandleInformation, DuplicateHandle, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, lstrlenW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, CloseHandle, CreateWaitableTimerExW
                                                                    user32.dllSystemParametersInfoW
                                                                    shell32.dllSHGetKnownFolderPath
                                                                    ole32.dllCoTaskMemFree
                                                                    advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey, SystemFunction036
                                                                    ws2_32.dllsend, recv, shutdown, ioctlsocket, connect, bind, WSASocketW, getsockname, getpeername, getsockopt, setsockopt, WSAIoctl, WSAGetLastError, WSAStartup, WSACleanup, getaddrinfo, closesocket, WSASend, freeaddrinfo
                                                                    secur32.dllApplyControlToken, AcquireCredentialsHandleA, QueryContextAttributesW, EncryptMessage, FreeContextBuffer, AcceptSecurityContext, InitializeSecurityContextW, DecryptMessage, FreeCredentialsHandle, DeleteSecurityContext
                                                                    crypt32.dllCertDuplicateCertificateContext, CertVerifyCertificateChainPolicy, CertFreeCertificateContext, CertFreeCertificateChain, CertDuplicateCertificateChain, CertEnumCertificatesInStore, CertAddCertificateContextToStore, CertDuplicateStore, CertGetCertificateChain, CertCloseStore, CertOpenStore
                                                                    ntdll.dllNtCancelIoFileEx, NtReadFile, NtCreateFile, NtDeviceIoControlFile, RtlNtStatusToDosError, NtWriteFile
                                                                    bcrypt.dllBCryptGenRandom
                                                                    VCRUNTIME140.dllmemcmp, __current_exception_context, memset, __current_exception, memcpy, memmove, __CxxFrameHandler3, _CxxThrowException, __C_specific_handler
                                                                    api-ms-win-crt-math-l1-1-0.dllpowf, pow, round, roundf, truncf, ceil, exp2f, __setusermatherr
                                                                    api-ms-win-crt-runtime-l1-1-0.dll_crt_atexit, _initialize_narrow_environment, _get_initial_narrow_environment, _configure_narrow_argv, _set_app_type, _initterm, _initterm_e, _register_onexit_function, terminate, _initialize_onexit_table, exit, _exit, _seh_filter_exe, __p___argc, __p___argv, _cexit, _c_exit, _register_thread_local_exe_atexit_callback
                                                                    api-ms-win-crt-stdio-l1-1-0.dll__p__commode, _set_fmode
                                                                    api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale
                                                                    api-ms-win-crt-heap-l1-1-0.dllfree, _set_new_mode

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jan 12, 2025 18:50:02.628776073 CET49704443192.168.2.5199.232.196.193
                                                                    Jan 12, 2025 18:50:02.628820896 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:02.629024982 CET49704443192.168.2.5199.232.196.193
                                                                    Jan 12, 2025 18:50:02.648997068 CET49704443192.168.2.5199.232.196.193
                                                                    Jan 12, 2025 18:50:02.649022102 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.205858946 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.205940962 CET49704443192.168.2.5199.232.196.193
                                                                    Jan 12, 2025 18:50:03.211786032 CET49704443192.168.2.5199.232.196.193
                                                                    Jan 12, 2025 18:50:03.211803913 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.212276936 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.259274960 CET49704443192.168.2.5199.232.196.193
                                                                    Jan 12, 2025 18:50:03.532957077 CET49704443192.168.2.5199.232.196.193
                                                                    Jan 12, 2025 18:50:03.579320908 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.668847084 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.668940067 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.668983936 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.669023991 CET49704443192.168.2.5199.232.196.193
                                                                    Jan 12, 2025 18:50:03.669037104 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.669076920 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.669085979 CET49704443192.168.2.5199.232.196.193
                                                                    Jan 12, 2025 18:50:03.669092894 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.669156075 CET49704443192.168.2.5199.232.196.193
                                                                    Jan 12, 2025 18:50:03.669336081 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.669835091 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.669867992 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.669892073 CET49704443192.168.2.5199.232.196.193
                                                                    Jan 12, 2025 18:50:03.669898987 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.669940948 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.669946909 CET49704443192.168.2.5199.232.196.193
                                                                    Jan 12, 2025 18:50:03.669954062 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.670011997 CET49704443192.168.2.5199.232.196.193
                                                                    Jan 12, 2025 18:50:03.678447008 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.678570032 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.678740025 CET49704443192.168.2.5199.232.196.193
                                                                    Jan 12, 2025 18:50:03.678747892 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.728029966 CET49704443192.168.2.5199.232.196.193
                                                                    Jan 12, 2025 18:50:03.756371021 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.756458044 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.756498098 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.756513119 CET49704443192.168.2.5199.232.196.193
                                                                    Jan 12, 2025 18:50:03.756531000 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.756577015 CET49704443192.168.2.5199.232.196.193
                                                                    Jan 12, 2025 18:50:03.756897926 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.757222891 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.757268906 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.757298946 CET49704443192.168.2.5199.232.196.193
                                                                    Jan 12, 2025 18:50:03.757307053 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.757349968 CET49704443192.168.2.5199.232.196.193
                                                                    Jan 12, 2025 18:50:03.757359028 CET44349704199.232.196.193192.168.2.5
                                                                    Jan 12, 2025 18:50:03.757417917 CET49704443192.168.2.5199.232.196.193
                                                                    Jan 12, 2025 18:50:03.759612083 CET49704443192.168.2.5199.232.196.193
                                                                    Jan 12, 2025 18:50:03.759628057 CET44349704199.232.196.193192.168.2.5

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jan 12, 2025 18:50:02.616828918 CET6148553192.168.2.51.1.1.1
                                                                    Jan 12, 2025 18:50:02.624241114 CET53614851.1.1.1192.168.2.5

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Jan 12, 2025 18:50:02.616828918 CET192.168.2.51.1.1.10xf8ecStandard query (0)i.imgur.comA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Jan 12, 2025 18:50:02.624241114 CET1.1.1.1192.168.2.50xf8ecNo error (0)i.imgur.comipv4.imgur.map.fastly.netCNAME (Canonical name)IN (0x0001)false
                                                                    Jan 12, 2025 18:50:02.624241114 CET1.1.1.1192.168.2.50xf8ecNo error (0)ipv4.imgur.map.fastly.net199.232.196.193A (IP address)IN (0x0001)false
                                                                    Jan 12, 2025 18:50:02.624241114 CET1.1.1.1192.168.2.50xf8ecNo error (0)ipv4.imgur.map.fastly.net199.232.192.193A (IP address)IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • i.imgur.com

                                                                    HTTPS Proxied Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.549704199.232.196.1934432800C:\Users\user\Desktop\Y7iJlbvuxg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2025-01-12 17:50:03 UTC62OUTGET /HCYQoVR.jpeg HTTP/1.1
                                                                    accept: */*
                                                                    host: i.imgur.com
                                                                    2025-01-12 17:50:03 UTC762INHTTP/1.1 200 OK
                                                                    Connection: close
                                                                    Content-Length: 28864
                                                                    Content-Type: image/jpeg
                                                                    Last-Modified: Mon, 30 Dec 2024 19:23:51 GMT
                                                                    ETag: "70f83e99427ac54b92283eaecb69c5df"
                                                                    x-amz-server-side-encryption: AES256
                                                                    X-Amz-Cf-Pop: IAD89-P1
                                                                    X-Amz-Cf-Id: w1veLHWiaEcBL8caleHyCc4jlmIU2__N_q7NNoWzZBqTAalmsqn0vA==
                                                                    cache-control: public, max-age=31536000
                                                                    Accept-Ranges: bytes
                                                                    Age: 1068766
                                                                    Date: Sun, 12 Jan 2025 17:50:03 GMT
                                                                    X-Served-By: cache-iad-kjyo7100042-IAD, cache-ewr-kewr1740025-EWR
                                                                    X-Cache: Miss from cloudfront, HIT, HIT
                                                                    X-Cache-Hits: 85, 0
                                                                    X-Timer: S1736704204.617377,VS0,VE1
                                                                    Strict-Transport-Security: max-age=300
                                                                    Access-Control-Allow-Methods: GET, OPTIONS
                                                                    Access-Control-Allow-Origin: *
                                                                    Server: cat factory 1.0
                                                                    X-Content-Type-Options: nosniff
                                                                    2025-01-12 17:50:03 UTC1371INData Raw: ff d8 ff db 00 43 00 02 01 01 01 01 01 02 01 01 01 02 02 02 02 02 04 03 02 02 02 02 05 04 04 03 04 06 05 06 06 06 05 06 06 06 07 09 08 06 07 09 07 06 06 08 0b 08 09 0a 0a 0a 0a 0a 06 08 0b 0c 0b 0a 0c 09 0a 0a 0a ff db 00 43 01 02 02 02 02 02 02 05 03 03 05 0a 07 06 07 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a ff c0 00 11 08 02 04 02 b8 03 01 22 00 02 11 01 03 11 01 ff c4 00 1d 00 01 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 08 09 06 07 0a 05 04 02 03 ff c4 00 49 10 00 01 03 02 05 03 03 02 03 06 03 06 03 05 09 00 00 02 03 04 05 06 01 07 08 09 12 0a 13 22 11 14 32 23 42 15 21 52 16 31 33 41 62 72 24 43 82 17 34 51 53 61 63 19 25 73 18 44 92 93
                                                                    Data Ascii: CC"I"2#B!R13Abr$C4QSac%sD
                                                                    2025-01-12 17:50:03 UTC1371INData Raw: a2 55 8f 88 1a d4 13 43 74 ed 90 35 3f b4 3d bb 67 dc 3a 97 cd ac b0 ac 2a f7 9d 32 35 12 97 65 56 a7 c9 95 8a 62 b6 da 9e 79 69 97 06 3a 70 6d 3d e6 53 c9 2a 56 3c 9c 4f 89 0b c0 00 00 02 43 ed b5 b6 f6 7c ee 99 a8 c7 34 c7 a7 6a ed b1 4e ae 31 6f ca ad 3f 50 bb a6 c8 8f 09 a8 b1 d4 d3 6a e4 a8 f1 de 73 96 2a 79 b4 a7 c3 ee fb 4f bb 73 ad b0 f3 c3 6a 3c f6 a4 e9 e3 50 57 f5 95 5e af 56 2d 76 6b ed 2e c7 9f 32 4b 11 e2 bb 22 44 74 25 c5 4a 8b 1d 5d cc 55 19 cc 78 a5 2a f1 e3 e5 e4 04 6a 05 89 eb 17 a6 9b 5d 5a 19 d1 8d 63 5c 59 df 9b 19 4c 9b 62 87 06 9e fc da 3d 2a bd 54 76 a9 ca 64 88 f1 da 65 2d aa 9c 96 54 e2 5c 90 8e 5f 57 8a 78 ab c9 5c 7f 3a ec 00 00 00 00 00 01 23 76 d4 db 1b 53 5b a8 e7 a4 ac 86 d3 23 34 36 27 52 e8 8e 55 ab 35 ab a2 6b d1 a9 d4
                                                                    Data Ascii: UCt5?=g:*25eVbyi:pm=S*V<OC|4jN1o?Pjs*yOsj<PW^V-vk.2K"Dt%J]Ux*j]Zc\YLb=*Tvde-T\_Wx\:#vS[#46'RU5k
                                                                    2025-01-12 17:50:03 UTC1371INData Raw: 1c 85 c7 5c 97 54 a7 1f e2 b7 b9 27 b9 8a 94 9e e7 1e 5c 78 a5 3c e6 6e 63 4c b6 e8 7b 8e 67 fd 0a cd 8c cc 7a 3c 3c ec ba d8 a4 b1 1b 0f 46 9b 8a 8a c4 a4 b4 94 7f 4e 09 c1 3e 80 62 1a 61 d3 bd fd ab 4d 43 d9 3a 67 ca e5 42 45 c1 7d dc 90 e8 b4 a7 aa 4e ad 11 a3 b9 21 c4 b7 de 7d 4d a5 6a 4b 2d f2 c5 6b 52 52 a5 71 4a b8 a5 58 f8 93 e3 39 3a 4e f7 44 ca 5c c6 b1 72 ae 9b 54 cb 4b c2 ab 7d 4c 94 dc 7f d9 4b 82 76 2d 52 22 c6 4b 4a 7e 74 e7 25 c1 8e 96 63 a3 bc d2 7d 53 dc 71 4a 71 29 4b 6a 52 92 93 cc e9 42 c8 c7 b3 8b 79 5b 32 e5 71 cf 48 f9 79 6d 56 6e 69 6d e2 9f 5e e6 18 46 f6 0d e1 ff 00 4e 2f 4f 65 5f e9 2c 53 aa ff 00 79 8d 45 e9 32 ef b4 f4 29 a4 6c c6 a9 d9 75 9a d5 b5 fb 41 7b dd b4 45 a9 8a 82 22 bc f3 8c c4 87 16 4a 55 ce 32 95 8c 77 dc 71 4d
                                                                    Data Ascii: \T'\x<ncL{gz<<FN>baMC:gBE}N!}MjK-kRRqJX9:ND\rTK}LKv-R"KJ~t%c}SqJq)KjRBy[2qHymVnim^FN/Oe_,SyE2)luA{E"JU2wqM
                                                                    2025-01-12 17:50:03 UTC1371INData Raw: 6a 90 69 c8 b3 99 b8 5f 7e b6 d4 a9 29 52 d2 ca 90 98 be db 15 25 2d b8 a5 60 99 0a e2 96 d5 f2 f4 3a 3f cc 9c ef a1 ec 9f b2 4d 12 f7 bb 29 0d d5 a6 65 26 52 d1 28 b1 29 98 f2 69 35 4a d7 b6 8f 0d a6 d5 c5 3c 92 87 25 2f 93 8a f9 25 3d c5 7f 23 99 0d 7f ef 65 b8 0e e6 76 13 79 55 aa dc c9 a4 54 ed a8 77 62 6e 1a 3d 16 95 6d 45 82 dd 3a 4a 63 bd 1d 2d b6 b6 93 dc 71 b4 b6 fb bf c6 5b 8a f2 f9 01 11 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 9c 76 09 d6 ae df 1a 01 d9 46 83 1f 30 f5 8d 93 b4 cb e9 e8 55 db b6 e0 b4 55 98 b4 b4 d5 1c 94 b7 9e c6 34 75 c5 ef 25 e5 4a 54 56 22 37 db e3 dc e5 c5 1f a4 e6 38 01 64 fd
                                                                    Data Ascii: ji_~)R%-`:?M)e&R()i5J<%/%=#evyUTwbn=mE:Jc-q[vF0UU4u%JTV"78d
                                                                    2025-01-12 17:50:03 UTC1371INData Raw: 4e b0 ab 7b 2f 5e af 52 e8 a8 a6 23 17 1c 5d 0e d3 6a 67 27 11 8a 98 4a 9c 71 ce db d2 5f 57 6d 2a 57 71 e5 76 f0 f8 a4 b7 bc dc db 47 a4 cb 55 d9 87 1f 51 94 7d 74 d8 56 0c 79 cf fb fa 8d a5 69 e7 55 22 8d 06 72 95 c5 6a 4b 90 66 a5 52 22 27 d3 fc b8 fe df 8f 25 78 a5 5f 10 9b fb 19 e4 9e dd b9 23 a6 ab 92 df db 42 35 52 af 64 33 79 3b 06 7e 63 d6 a4 f7 df bc 2a 11 d9 6d 2f 4a 6d de db 69 76 3b 6a 57 65 2b 69 b6 d9 52 9b 77 b6 9f de a5 51 66 50 6f 41 6f e9 c3 a8 df 32 37 02 bc 5d c2 ab 60 dc d7 95 6a da ad c9 a2 a3 17 dc 5d b7 dc 4c 58 52 98 f2 fa 8a 42 61 c0 79 5f bf 9a 5b 5a 52 9f 24 f1 9d 1b 99 75 04 6d fb a0 cd 11 bd b7 f6 cf 95 5a 55 56 b6 dd 09 da 0d 22 ad 69 a1 c5 d1 ad 58 af 60 ae f4 a6 e5 ab fd f6 62 bb 8b 52 54 da 9c 4f 79 6a 71 c7 31 52 78 39
                                                                    Data Ascii: N{/^R#]jg'Jq_Wm*WqvGUQ}tVyiU"rjKfR"'%x_#B5Rd3y;~c*m/Jmiv;jWe+iRwQfPoAo27]`j]LXRBay_[ZR$umZUV"iX`bRTOyjq1Rx9
                                                                    2025-01-12 17:50:03 UTC1371INData Raw: ae 5d bf 2f 15 25 5a 1f 79 7d 20 e9 df 41 1b 86 5e ba 43 d3 45 c1 75 d5 a8 36 5b 34 f6 24 54 af 2a 84 59 32 9e 9a f4 36 65 3b e8 a8 cc 32 df 6d 3d f4 b7 c7 b7 cb 93 6a 02 2a 03 d6 b3 2d 4b 8a fd bb 29 76 3d a1 4a 5c ea ad 6a a2 cc 0a 5c 26 d4 9c 15 22 43 ce 25 b6 db 4f 2f cb 92 94 a4 a7 ff 00 d4 ba 2d ed fa 73 f6 f1 da df 6f 4a 96 a5 ec 8c ee cd 29 f7 c2 ab 74 aa 35 bb 02 e6 b8 29 6b a7 4d 99 21 dc 14 fa 7b 4c d3 59 79 7e 91 5a 96 e2 52 97 30 c5 3d be 58 f2 c1 2a 4a 82 91 c0 00 00 00 01 b7 b4 1b a6 99 3a c9 d6 8e 57 69 71 9c 26 60 cd ef 7b d3 e9 55 47 e9 ee b6 db f1 e0 b9 21 3e ee 43 6a 71 2a 4f 26 e3 f7 9c f2 4a bf 87 f1 57 c4 b1 0e a2 2d 8f 34 17 b4 56 46 65 fd d1 90 19 b5 99 55 7b c6 f6 bb 1f 88 9a 5d ef 5d a6 c8 63 1a 64 58 aa 54 97 9b 6e 3c 18 ee 77
                                                                    Data Ascii: ]/%Zy} A^CEu6[4$T*Y26e;2m=j*-K)v=J\j\&"C%O/-soJ)t5)kM!{LYy~ZR0=X*J:Wiq&`{UG!>Cjq*O&JW-4VFeU{]]cdXTn<w
                                                                    2025-01-12 17:50:03 UTC1371INData Raw: 2e 1b b2 24 c9 75 2d 47 8e c3 78 ad c7 16 ac 70 4a 52 94 e1 f2 56 38 ff 00 20 3b 49 db 53 49 ba 1d db 0f 42 df b3 da 66 ce 56 2a 59 59 8b b3 2f 09 f9 91 71 dc d0 1f 62 63 2e b6 95 39 50 7a 7c 66 d9 8a a6 51 1d 86 d3 dd e2 94 a5 a6 53 c9 5e 3c 8a 67 b8 36 49 da ff 00 56 db ba 58 1a 7a d2 9e bc ee ec d4 a4 5d 96 dd cb 7d 67 75 e7 44 cc 4a 15 5e 64 37 12 e2 53 17 db 49 83 07 db b3 21 c9 8f 72 71 0e 25 c5 76 d4 95 27 06 fd 53 8a ac 3b 7c 39 8c ed f9 d3 a7 5e c8 eb 19 d6 a2 2e 15 81 6e 65 dd 31 0f 2b 97 26 56 a8 b0 e4 a7 d7 d7 c9 4a 86 89 3e 5f ab cb 1e 5f 99 05 ba 22 72 2a 2c fc cb cf 6d 4b d4 68 e9 c5 da 55 0e 93 6c 52 2a 38 e3 f9 f1 94 f3 d2 a5 b6 9c 3f fd a4 25 2b fb 93 fd 40 46 4e a8 2d 32 5b 3a 32 d4 3e 59 e9 d6 91 ac 5c f9 cd 99 c8 b2 5d ad cd 56 76 66
                                                                    Data Ascii: .$u-GxpJRV8 ;ISIBfV*YY/qbc.9Pz|fQS^<g6IVXz]}guDJ^d7SI!rq%v'S;|9^.ne1+&VJ>__"r*,mKhUlR*8?%+@FN-2[:2>Y\]Vvf
                                                                    2025-01-12 17:50:03 UTC1371INData Raw: 61 ac 70 6d aa b5 d7 5b a7 fd fe 4a 6a 1c 27 3f a5 3e 35 04 ff 00 d7 fd 25 03 16 49 d5 6b 9e 92 73 9b 79 7b de db 4b 7f e1 32 f2 dd a3 db 10 1c e5 8e 3c d2 98 b8 4e 7b 1f 4c 70 f1 f4 91 3d f4 ff 00 a7 97 dc 56 d8 16 91 b2 c7 4d 4e 68 ee 5b 97 ec ea 87 3f b3 12 46 5c e5 1b b2 1d 45 2e 44 38 69 76 ab 70 25 95 29 2e b9 1b b9 f4 e3 47 4a 92 a4 fb 87 12 e7 aa 9b 52 52 da b0 f2 27 2c 6e 91 cd a7 75 0b 97 d7 0a 34 59 b8 6d e1 5c b8 68 92 9c a6 cc aa 35 74 d0 ae 1a 7d 36 a6 94 f9 47 96 c4 08 ac b8 da d3 f7 36 a7 92 a4 e0 a2 7f ee 31 52 d1 46 85 f6 95 7e c5 d4 5e 4c de 97 4e 46 db f6 ed 22 d7 ac db 99 65 50 5c 69 4a a6 f2 66 3b 3c 9e 6a 6c 37 3d ba 94 96 d0 e7 17 b0 ee 25 dc 52 a4 a9 2a 52 4a b2 b3 3a 92 b4 8d a5 ac 8d b9 72 bb 64 3d a6 eb b4 67 9b a5 c8 ab dc 15
                                                                    Data Ascii: apm[Jj'?>5%Iksy{K2<N{Lp=VMNh[?F\E.D8ivp%).GJRR',nu4Ym\h5t}6G61RF~^LNF"eP\iJf;<jl7=%R*RJ:rd=g
                                                                    2025-01-12 17:50:03 UTC1371INData Raw: bf 61 1d 31 d6 f7 53 cd cd 00 ee 27 a9 e8 b4 69 59 65 2a 9a c5 9d 4b a1 dc b4 fa 54 eb e2 44 ce 33 22 e2 c3 13 52 f3 8f 36 a8 3e 8e 3d 1d 94 a9 c6 d5 21 b4 f7 3c 7c a4 bf 44 fe 99 73 56 8a f6 70 6a d6 bd 42 99 06 d0 ad 40 81 6e db f2 de 47 16 aa d2 9a 79 c7 a4 a9 bf 5f 92 59 fa 48 e5 87 8f 27 54 9f 92 55 c7 dc d3 f5 46 d3 d7 77 59 05 eb 99 36 cd 4a 3d 42 89 92 d6 dc bf 6c f4 54 7a a1 e7 a0 53 a3 d1 df c1 cc 71 f9 76 ea 13 de e2 a4 f1 fe 0b 7f 2f b8 2c 93 78 8c 9f d0 1e a4 b4 cd 0f 4b ba fe d6 2d 3f 27 2d 8b 92 b2 cc d8 72 5c bf a8 f4 09 15 65 41 52 55 8b 2d ae a8 db 8d ba db 6a 75 97 16 96 d3 c9 2a ed f9 27 d7 cb 9f 5d bb 3a 79 6e 2d cf 75 37 99 93 32 1b 34 5f b7 b4 ed 64 66 1d 46 8d 46 cc 7a c6 0d d4 66 d7 22 b3 25 58 30 98 b8 32 96 59 90 f2 a3 f6 5c 71
                                                                    Data Ascii: a1S'iYe*KTD3"R6>=!<|DsVpjB@nGy_YH'TUFwY6J=BlTzSqv/,xK-?'-r\eARU-ju*']:yn-u724_dfFFzf"%X02Y\q
                                                                    2025-01-12 17:50:03 UTC1371INData Raw: c9 c8 df 97 15 7d 4a 11 3a 0d e8 86 c8 d9 b1 ed 8c f8 d4 b5 42 0b 58 b1 36 7d 1a d9 a4 c8 f4 f3 4a 99 44 89 52 d3 fd b8 f7 e1 7f f0 ff 00 d0 09 31 d4 a1 92 1b 60 ea 3f 29 26 d6 f5 7f ad e5 5b 17 f6 4f 58 75 ca d5 8d 95 54 5c cc a2 d3 a6 d6 a6 48 8e 97 18 4a e0 cb 65 e9 0f 29 e7 22 32 d3 6a 6f 8f 8a 95 c4 83 f9 f9 d3 4d a1 8d 32 ec bf 27 70 2c e5 cd 7c d5 a5 e6 35 3f 27 29 f5 e9 b4 47 2b f4 b4 d2 d9 b8 a6 47 65 2c c1 52 30 a7 a9 cc 59 f7 92 5b 67 8e 0f 72 57 af f1 3e e2 21 ee 9d 54 8d b8 7f 51 6d d9 96 88 ac 49 f6 37 46 79 52 72 f1 87 b9 62 af 6e 88 f2 22 d1 56 a6 bf e0 9e e3 4e 38 9e 3f 2e 5c be e2 e2 fa c2 f3 8f fd 95 6d 39 4c ca 4a 2c 54 60 9b f3 32 69 54 97 9a 4e 3c 70 66 1c 56 64 4e f5 4f e5 fc 9d 89 19 3c 7f e0 a5 7e 90 2a 97 a7 4f 64 ac 8a dd ee b3
                                                                    Data Ascii: }J:BX6}JDR1`?)&[OXuT\HJe)"2joM2'p,|5?')G+Ge,R0Y[grW>!TQmI7FyRrbn"VN8?.\m9LJ,T`2iTN<pfVdNO<~*Od


                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:12:50:01
                                                                    Start date:12/01/2025
                                                                    Path:C:\Users\user\Desktop\Y7iJlbvuxg.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Users\user\Desktop\Y7iJlbvuxg.exe"
                                                                    Imagebase:0x7ff65dd90000
                                                                    File size:5'493'760 bytes
                                                                    MD5 hash:C8DD54784FB1B6CBD16CEC060487FB8F
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:1
                                                                    Start time:12:50:01
                                                                    Start date:12/01/2025
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6d64d0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:2
                                                                    Start time:12:50:01
                                                                    Start date:12/01/2025
                                                                    Path:C:\Windows\System32\net.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"net" session
                                                                    Imagebase:0x7ff740640000
                                                                    File size:59'904 bytes
                                                                    MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:3
                                                                    Start time:12:50:01
                                                                    Start date:12/01/2025
                                                                    Path:C:\Windows\System32\net1.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\net1 session
                                                                    Imagebase:0x7ff73fda0000
                                                                    File size:183'808 bytes
                                                                    MD5 hash:55693DF2BB3CBE2899DFDDF18B4EB8C9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:5
                                                                    Start time:12:50:01
                                                                    Start date:12/01/2025
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"powershell" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                                    Imagebase:0x7ff7be880000
                                                                    File size:452'608 bytes
                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:6
                                                                    Start time:12:50:01
                                                                    Start date:12/01/2025
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"powershell" -Command "wevtutil sl Security /e:false"
                                                                    Imagebase:0x7ff7be880000
                                                                    File size:452'608 bytes
                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:7
                                                                    Start time:12:50:01
                                                                    Start date:12/01/2025
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"powershell" -Command "wevtutil sl Application /e:false"
                                                                    Imagebase:0x7ff7be880000
                                                                    File size:452'608 bytes
                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:8
                                                                    Start time:12:50:01
                                                                    Start date:12/01/2025
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"powershell" -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"
                                                                    Imagebase:0x7ff7be880000
                                                                    File size:452'608 bytes
                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:9
                                                                    Start time:12:50:05
                                                                    Start date:12/01/2025
                                                                    Path:C:\Windows\System32\wevtutil.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\system32\wevtutil.exe" sl Application /e:false
                                                                    Imagebase:0x7ff77a2f0000
                                                                    File size:278'016 bytes
                                                                    MD5 hash:1AAE26BD68B911D0420626A27070EB8D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:10
                                                                    Start time:12:50:05
                                                                    Start date:12/01/2025
                                                                    Path:C:\Windows\System32\wevtutil.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\system32\wevtutil.exe" sl Security /e:false
                                                                    Imagebase:0x7ff77a2f0000
                                                                    File size:278'016 bytes
                                                                    MD5 hash:1AAE26BD68B911D0420626A27070EB8D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:11
                                                                    Start time:12:50:09
                                                                    Start date:12/01/2025
                                                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                    Imagebase:0x7ff6ef0c0000
                                                                    File size:496'640 bytes
                                                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    Disassembly

                                                                    Reset < >

                                                                      Non-executed Functions

                                                                      Function 00007FF65E0FD548 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2145101426.00007FF65DD91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65DD90000, based on PE: true
                                                                      • Associated: 00000000.00000002.2145076460.00007FF65DD90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2145459589.00007FF65E10F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2145459589.00007FF65E1AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2145459589.00007FF65E1BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2145459589.00007FF65E1BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2145459589.00007FF65E1CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2145459589.00007FF65E1EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2145762446.00007FF65E29C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2145787060.00007FF65E29D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2145813211.00007FF65E29E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2145849386.00007FF65E2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2145849386.00007FF65E2CA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff65dd90000_Y7iJlbvuxg.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                      • String ID:
                                                                      • API String ID: 2933794660-0
                                                                      • Opcode ID: 2b05a0a51ad225180e439d4162611a6eec26e3c2d54be5cf86bd29c62f83bf5c
                                                                      • Instruction ID: 6f6f288873546fab27d073dddc79c639614f9985a60c4621b445020b956ad029
                                                                      • Opcode Fuzzy Hash: 2b05a0a51ad225180e439d4162611a6eec26e3c2d54be5cf86bd29c62f83bf5c
                                                                      • Instruction Fuzzy Hash: C5115E26B18F158AEF10CF60E9452B833A4F729758F081E31EA2DD67A8DF7CD1A48340

                                                                      Executed Functions

                                                                      Function 00007FF848E733B5 Relevance: .0, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2165229701.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_7ff848e70000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1f52f075e1a068889940d64c93eb92417e897d78ce1085801ced2499207c853b
                                                                      • Instruction ID: 24ef75c526cb65825109a4e7586d62867e1718cfd4eae63a3c90891dd0916743
                                                                      • Opcode Fuzzy Hash: 1f52f075e1a068889940d64c93eb92417e897d78ce1085801ced2499207c853b
                                                                      • Instruction Fuzzy Hash: CF01677111CB0D4FDB44EF0CE451AA6B7E0FB95364F50056DE58AC3691DB36E882CB45