Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3vj5tYFb6a.exe

Overview

General Information

Sample Name:3vj5tYFb6a.exe
Original Sample Name:10243ce788b5dcbbf248058fe196f371.exe
Analysis ID:1334037
MD5:10243ce788b5dcbbf248058fe196f371
SHA1:0da95887908b6ada23c698de6cf2f3f986655721
SHA256:8bf51ccb2646d38af6778a0712c78415e113b1393509afdc16c97a0bfb91eb55
Tags:exe
Infos:

Detection

Snake Keylogger, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Yara detected zgRAT
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Writes to foreign memory regions
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains method to dynamically call methods (often used by packers)
Creates an undocumented autostart registry key
Uses ipconfig to lookup or modify the Windows network settings
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
May check the online IP address of the machine
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 3vj5tYFb6a.exe (PID: 2640 cmdline: C:\Users\user\Desktop\3vj5tYFb6a.exe MD5: 10243CE788B5DCBBF248058FE196F371)
    • conhost.exe (PID: 1976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1400 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /release MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ipconfig.exe (PID: 7232 cmdline: "C:\Windows\system32\ipconfig.exe" /release MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
    • powershell.exe (PID: 7252 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7412 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7564 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7764 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8144 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 8152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5908 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /renew MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ipconfig.exe (PID: 6000 cmdline: "C:\Windows\system32\ipconfig.exe" /renew MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
    • aspnet_compiler.exe (PID: 7512 cmdline: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
      • WerFault.exe (PID: 7648 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7512 -s 2204 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "noni@ehrgeizig2021.xyz", "Password": "Moneymatter@123", "Host": "mail.privateemail.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000016.00000002.2743161051.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000016.00000002.2743161051.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
      00000016.00000002.2743161051.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
        00000016.00000002.2743161051.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x13c4d:$a1: get_encryptedPassword
        • 0x13f39:$a2: get_encryptedUsername
        • 0x13a59:$a3: get_timePasswordChanged
        • 0x13b54:$a4: get_passwordField
        • 0x13c63:$a5: set_encryptedPassword
        • 0x15268:$a7: get_logins
        • 0x151cb:$a10: KeyLoggerEventArgs
        • 0x14e3b:$a11: KeyLoggerEventArgsEventHandler
        00000016.00000002.2743161051.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
        • 0x1750c:$x1: $%SMTPDV$
        • 0x17522:$x2: $#TheHashHere%&
        • 0x1886c:$x3: %FTPDV$
        • 0x18934:$x4: $%TelegramDv$
        • 0x14e3b:$x5: KeyLoggerEventArgs
        • 0x151cb:$x5: KeyLoggerEventArgs
        • 0x188dc:$m1: | Snake Keylogger
        • 0x18994:$m1: | Snake Keylogger
        • 0x18ae8:$m1: | Snake Keylogger
        • 0x18c0e:$m1: | Snake Keylogger
        • 0x18d68:$m1: | Snake Keylogger
        • 0x18890:$m2: Clipboard Logs ID
        • 0x18a9e:$m2: Screenshot Logs ID
        • 0x18bb2:$m2: keystroke Logs ID
        • 0x18d9e:$m3: SnakePW
        • 0x18a76:$m4: \SnakeKeylogger\
        Click to see the 27 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.3vj5tYFb6a.exe.3c63610.7.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
          0.2.3vj5tYFb6a.exe.5090000.9.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            0.2.3vj5tYFb6a.exe.3c63610.7.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
              0.2.3vj5tYFb6a.exe.5090000.9.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                0.2.3vj5tYFb6a.exe.3b835b0.2.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                  Click to see the 51 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000016.00000002.2745588787.0000000003021000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "noni@ehrgeizig2021.xyz", "Password": "Moneymatter@123", "Host": "mail.privateemail.com"}
                  Multi AV Scanner detection for submitted file
                  Source: 3vj5tYFb6a.exeReversingLabs: Detection: 62%
                  Source: 3vj5tYFb6a.exeVirustotal: Detection: 63%Perma Link
                  Antivirus / Scanner detection for submitted sample
                  Source: 3vj5tYFb6a.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chronv.exeAvira: detection malicious, Label: TR/Dldr.Agent.mrjvn
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chronv.exeReversingLabs: Detection: 62%
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chronv.exeVirustotal: Detection: 63%Perma Link
                  Source: 3vj5tYFb6a.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 172.67.160.84:443 -> 192.168.2.5:49721 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 104.21.28.190:443 -> 192.168.2.5:49722 version: TLS 1.0
                  Source: 3vj5tYFb6a.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\aspnet_compiler.pdb+ source: aspnet_compiler.exe, 00000016.00000002.2746693055.0000000006740000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdb source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: System.ni.pdbRSDS source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: \??\C:\Windows\exe\aspnet_compiler.pdb source: aspnet_compiler.exe, 00000016.00000002.2746693055.0000000006740000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbesW source: aspnet_compiler.exe, 00000016.00000002.2746693055.0000000006740000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: aspnet_compiler.pdbz source: aspnet_compiler.exe, 00000016.00000002.2746693055.0000000006740000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Microsoft.VisualBasic.pdbq source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: @&o.pdb source: aspnet_compiler.exe, 00000016.00000002.2743267917.0000000000FE7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: aspnet_compiler.pdb source: aspnet_compiler.exe, 00000016.00000002.2743267917.0000000000FE7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdb source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: ,,.pdb source: aspnet_compiler.exe, 00000016.00000002.2743267917.0000000000FE7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.pdb source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\aspnet_compiler.pdbv source: aspnet_compiler.exe, 00000016.00000002.2746693055.0000000006740000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: aspnet_compiler.pdb* source: aspnet_compiler.exe, 00000016.00000002.2746693055.0000000006740000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: o@C:\Windows\aspnet_compiler.pdb source: aspnet_compiler.exe, 00000016.00000002.2743267917.0000000000FE7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\aspnet_compiler.PDB source: aspnet_compiler.exe, 00000016.00000002.2746693055.0000000006740000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.pdb source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: System.pdb source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbh source: aspnet_compiler.exe, 00000016.00000002.2744857661.00000000015DB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: aspnet_compiler.exe, 00000016.00000002.2744857661.00000000015DB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdbRSDS# source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: System.Core.ni.pdb source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: System.Windows.Forms.pdb source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb< source: aspnet_compiler.exe, 00000016.00000002.2743593917.0000000001526000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\aspnet_compiler.pdbpdbler.pdb source: aspnet_compiler.exe, 00000016.00000002.2744857661.00000000015DB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\exe\aspnet_compiler.pdbH source: aspnet_compiler.exe, 00000016.00000002.2746693055.0000000006740000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: ?&oC:\Users\user\AppData\Local\Temp\aspnet_compiler.pdb source: aspnet_compiler.exe, 00000016.00000002.2743267917.0000000000FE7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb]#x source: aspnet_compiler.exe, 00000016.00000002.2743593917.0000000001526000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbL source: aspnet_compiler.exe, 00000016.00000002.2746693055.0000000006740000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: symbols\exe\aspnet_compiler.pdbX source: aspnet_compiler.exe, 00000016.00000002.2743267917.0000000000FE7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: aspnet_compiler.pdbmpiler.pdbpdbler.pdbompiler.pdbu source: aspnet_compiler.exe, 00000016.00000002.2743267917.0000000000FE7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: \??\C:\Windows\aspnet_compiler.pdb* source: aspnet_compiler.exe, 00000016.00000002.2746693055.0000000006740000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.pdb| source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: System.Core.pdb source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\aspnet_compiler.PDB source: aspnet_compiler.exe, 00000016.00000002.2743267917.0000000000FE7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: aspnet_compiler.pdb source: aspnet_compiler.exe, 00000016.00000002.2746693055.0000000006779000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000016.00000002.2743267917.0000000000FE7000.00000004.00000010.00020000.00000000.sdmp, aspnet_compiler.exe, 00000016.00000000.2666599950.0000000000E52000.00000002.00000001.01000000.00000007.sdmp, aspnet_compiler.exe.0.dr
                  Source: Binary string: \??\C:\Windows\symbols\exe\aspnet_compiler.pdb source: aspnet_compiler.exe, 00000016.00000002.2746693055.0000000006740000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\aspnet_compiler.pdb source: aspnet_compiler.exe, 00000016.00000002.2746693055.0000000006740000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: System.ni.pdb source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WERC146.tmp.dmp.25.dr

                  Networking

                  barindex
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3cfb7f0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.raw.unpack, type: UNPACKEDPE
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: global trafficHTTP traffic detected: GET /xml/154.16.49.82 HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/154.16.49.82 HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
                  Source: unknownHTTPS traffic detected: 172.67.160.84:443 -> 192.168.2.5:49721 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 104.21.28.190:443 -> 192.168.2.5:49722 version: TLS 1.0
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Oct 2023 05:48:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 0Cache-Control: public,max-age=0,must-revalidateVary: Accept-EncodingX-Nf-Request-Id: 01HDZJ02AFES9CKAYD8VYCNN2CCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=GMVxCTCuT03JBSoMF4Po387hkk3lt4sAHoK8j25jn%2FBrf882gb2cR1qx%2Bg7CoOS0XXFu%2FU7GA%2BZ2tm1pY0rUR8EFU0S6QOtaKfXcB6KS20eZqZ3GlaKhit%2FB2m2e"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 81e15e153ea91fd4-IADalt-svc: h3=":443"; ma=86400
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: aspnet_compiler.exe, 00000016.00000002.2745588787.00000000030DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: aspnet_compiler.exe, 00000016.00000002.2745588787.00000000030DE000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000016.00000002.2745588787.00000000030D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: aspnet_compiler.exe, 00000016.00000002.2745588787.0000000003021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: 3vj5tYFb6a.exe, 00000000.00000002.2690950066.0000000003CB6000.00000004.00000800.00020000.00000000.sdmp, 3vj5tYFb6a.exe, 00000000.00000002.2690458714.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, 3vj5tYFb6a.exe, 00000000.00000002.2690950066.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000016.00000002.2743161051.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: aspnet_compiler.exe, 00000016.00000002.2745588787.00000000030FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://freegeoip.app
                  Source: aspnet_compiler.exe, 00000016.00000002.2745588787.000000000311D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipbase.com
                  Source: aspnet_compiler.exe, 00000016.00000002.2745588787.0000000003021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Amcache.hve.25.drString found in binary or memory: http://upx.sf.net
                  Source: aspnet_compiler.exe, 00000016.00000002.2745588787.0000000003115000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000016.00000002.2745588787.000000000317B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://answers.netlify.com/t/support-guide-i-ve-deployed-my-site-but-i-still-see-page-not-found/125
                  Source: 3vj5tYFb6a.exe, 00000000.00000002.2690950066.0000000003CB6000.00000004.00000800.00020000.00000000.sdmp, 3vj5tYFb6a.exe, 00000000.00000002.2690458714.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, 3vj5tYFb6a.exe, 00000000.00000002.2690950066.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000016.00000002.2743161051.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: aspnet_compiler.exe, 00000016.00000002.2745588787.000000000317B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
                  Source: aspnet_compiler.exe, 00000016.00000002.2745588787.00000000030DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://freegeoip.app
                  Source: 3vj5tYFb6a.exe, 00000000.00000002.2690950066.0000000003CB6000.00000004.00000800.00020000.00000000.sdmp, 3vj5tYFb6a.exe, 00000000.00000002.2690458714.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, 3vj5tYFb6a.exe, 00000000.00000002.2690950066.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000016.00000002.2745588787.00000000030DE000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000016.00000002.2743161051.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://freegeoip.app/xml/
                  Source: aspnet_compiler.exe, 00000016.00000002.2745588787.00000000030DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://freegeoip.app/xml/154.16.49.82
                  Source: aspnet_compiler.exe, 00000016.00000002.2745588787.000000000311D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipbase.com
                  Source: aspnet_compiler.exe, 00000016.00000002.2745588787.00000000030DE000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000016.00000002.2745588787.000000000311D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000016.00000002.2745588787.0000000003119000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipbase.com/xml/154.16.49.82
                  Source: unknownDNS traffic detected: queries for: www.google.com
                  Source: global trafficHTTP traffic detected: GET /xml/154.16.49.82 HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/154.16.49.82 HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.3vj5tYFb6a.exe.3cfb7f0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.3vj5tYFb6a.exe.3cfb7f0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.3vj5tYFb6a.exe.3cfb7f0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.3vj5tYFb6a.exe.3cfb7f0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 22.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 22.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 22.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 22.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000016.00000002.2743161051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000016.00000002.2743161051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000002.2690950066.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.2690950066.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000002.2690950066.0000000003CB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.2690950066.0000000003CB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000002.2690458714.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.2690458714.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: 3vj5tYFb6a.exe PID: 2640, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: 3vj5tYFb6a.exe PID: 2640, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: aspnet_compiler.exe PID: 7512, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: aspnet_compiler.exe PID: 7512, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 3vj5tYFb6a.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.3vj5tYFb6a.exe.3cfb7f0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.3vj5tYFb6a.exe.3cfb7f0.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.3vj5tYFb6a.exe.3cfb7f0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.3vj5tYFb6a.exe.3cfb7f0.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 22.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 22.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 22.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 22.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000016.00000002.2743161051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000016.00000002.2743161051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000002.2690950066.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.2690950066.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000002.2690950066.0000000003CB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.2690950066.0000000003CB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000002.2690458714.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.2690458714.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: 3vj5tYFb6a.exe PID: 2640, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: 3vj5tYFb6a.exe PID: 2640, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: aspnet_compiler.exe PID: 7512, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: aspnet_compiler.exe PID: 7512, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7512 -s 2204
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeCode function: 0_2_011308480_2_01130848
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeCode function: 0_2_011321780_2_01132178
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeCode function: 0_2_011308390_2_01130839
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeCode function: 0_2_05AE54A80_2_05AE54A8
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeCode function: 0_2_05AE54990_2_05AE5499
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeCode function: 22_2_016A927822_2_016A9278
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeCode function: 22_2_016A457722_2_016A4577
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeCode function: 22_2_016A65C822_2_016A65C8
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeCode function: 22_2_016A5FA022_2_016A5FA0
                  Source: 3vj5tYFb6a.exe, 00000000.00000002.2690950066.0000000003AE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQnefohbpaxqtrkoddpzy.dll" vs 3vj5tYFb6a.exe
                  Source: 3vj5tYFb6a.exe, 00000000.00000002.2690950066.0000000003C63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQnefohbpaxqtrkoddpzy.dll" vs 3vj5tYFb6a.exe
                  Source: 3vj5tYFb6a.exe, 00000000.00000000.2041455926.00000000007A4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAgwo.exej% vs 3vj5tYFb6a.exe
                  Source: 3vj5tYFb6a.exe, 00000000.00000002.2690950066.0000000003CB6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameiJMJnUDAnLMGBkvrphkwZ.exeL vs 3vj5tYFb6a.exe
                  Source: 3vj5tYFb6a.exe, 00000000.00000002.2691462788.0000000005090000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameQnefohbpaxqtrkoddpzy.dll" vs 3vj5tYFb6a.exe
                  Source: 3vj5tYFb6a.exe, 00000000.00000002.2690458714.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 3vj5tYFb6a.exe
                  Source: 3vj5tYFb6a.exe, 00000000.00000002.2690458714.0000000002C56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameiJMJnUDAnLMGBkvrphkwZ.exeL vs 3vj5tYFb6a.exe
                  Source: 3vj5tYFb6a.exe, 00000000.00000002.2690458714.0000000002B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameiJMJnUDAnLMGBkvrphkwZ.exeL vs 3vj5tYFb6a.exe
                  Source: 3vj5tYFb6a.exe, 00000000.00000002.2690458714.0000000002B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclrjit.dllT vs 3vj5tYFb6a.exe
                  Source: 3vj5tYFb6a.exe, 00000000.00000002.2690458714.0000000002B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 3vj5tYFb6a.exe
                  Source: 3vj5tYFb6a.exe, 00000000.00000002.2690950066.0000000003D51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameiJMJnUDAnLMGBkvrphkwZ.exeL vs 3vj5tYFb6a.exe
                  Source: 3vj5tYFb6a.exeBinary or memory string: OriginalFilenameAgwo.exej% vs 3vj5tYFb6a.exe
                  Source: 3vj5tYFb6a.exeReversingLabs: Detection: 62%
                  Source: 3vj5tYFb6a.exeVirustotal: Detection: 63%
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeFile read: C:\Users\user\Desktop\3vj5tYFb6a.exeJump to behavior
                  Source: 3vj5tYFb6a.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\3vj5tYFb6a.exe C:\Users\user\Desktop\3vj5tYFb6a.exe
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /release
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /release
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /renew
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /renew
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess created: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7512 -s 2204
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /releaseJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.comJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.comJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.comJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.comJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.comJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /renewJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess created: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /releaseJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /renewJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chronv.exeJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeFile created: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeJump to behavior
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@30/24@4/3
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: 3vj5tYFb6a.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
                  Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7572:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5968:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7260:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8152:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1976:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7512
                  Source: aspnet_compiler.exe, 00000016.00000002.2743593917.0000000001526000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb]#x
                  Source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.3vj5tYFb6a.exe.5090000.9.raw.unpack, eq38wbJIFbrep7POmEO.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.3vj5tYFb6a.exe.5090000.9.raw.unpack, eq38wbJIFbrep7POmEO.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.3vj5tYFb6a.exe.5090000.9.raw.unpack, eq38wbJIFbrep7POmEO.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.3vj5tYFb6a.exe.5090000.9.raw.unpack, eq38wbJIFbrep7POmEO.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.3vj5tYFb6a.exe.3c63610.7.raw.unpack, eq38wbJIFbrep7POmEO.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.3vj5tYFb6a.exe.3c63610.7.raw.unpack, eq38wbJIFbrep7POmEO.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.3vj5tYFb6a.exe.3c63610.7.raw.unpack, eq38wbJIFbrep7POmEO.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.3vj5tYFb6a.exe.3c63610.7.raw.unpack, eq38wbJIFbrep7POmEO.csCryptographic APIs: 'CreateDecryptor'
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: 3vj5tYFb6a.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: 3vj5tYFb6a.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: 3vj5tYFb6a.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\aspnet_compiler.pdb+ source: aspnet_compiler.exe, 00000016.00000002.2746693055.0000000006740000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdb source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: System.ni.pdbRSDS source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: \??\C:\Windows\exe\aspnet_compiler.pdb source: aspnet_compiler.exe, 00000016.00000002.2746693055.0000000006740000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbesW source: aspnet_compiler.exe, 00000016.00000002.2746693055.0000000006740000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: aspnet_compiler.pdbz source: aspnet_compiler.exe, 00000016.00000002.2746693055.0000000006740000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Microsoft.VisualBasic.pdbq source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: @&o.pdb source: aspnet_compiler.exe, 00000016.00000002.2743267917.0000000000FE7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: aspnet_compiler.pdb source: aspnet_compiler.exe, 00000016.00000002.2743267917.0000000000FE7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdb source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: ,,.pdb source: aspnet_compiler.exe, 00000016.00000002.2743267917.0000000000FE7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.pdb source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\aspnet_compiler.pdbv source: aspnet_compiler.exe, 00000016.00000002.2746693055.0000000006740000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: aspnet_compiler.pdb* source: aspnet_compiler.exe, 00000016.00000002.2746693055.0000000006740000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: o@C:\Windows\aspnet_compiler.pdb source: aspnet_compiler.exe, 00000016.00000002.2743267917.0000000000FE7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\aspnet_compiler.PDB source: aspnet_compiler.exe, 00000016.00000002.2746693055.0000000006740000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.pdb source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: System.pdb source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbh source: aspnet_compiler.exe, 00000016.00000002.2744857661.00000000015DB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: aspnet_compiler.exe, 00000016.00000002.2744857661.00000000015DB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdbRSDS# source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: System.Core.ni.pdb source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: System.Windows.Forms.pdb source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb< source: aspnet_compiler.exe, 00000016.00000002.2743593917.0000000001526000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\aspnet_compiler.pdbpdbler.pdb source: aspnet_compiler.exe, 00000016.00000002.2744857661.00000000015DB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\exe\aspnet_compiler.pdbH source: aspnet_compiler.exe, 00000016.00000002.2746693055.0000000006740000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: ?&oC:\Users\user\AppData\Local\Temp\aspnet_compiler.pdb source: aspnet_compiler.exe, 00000016.00000002.2743267917.0000000000FE7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb]#x source: aspnet_compiler.exe, 00000016.00000002.2743593917.0000000001526000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbL source: aspnet_compiler.exe, 00000016.00000002.2746693055.0000000006740000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: symbols\exe\aspnet_compiler.pdbX source: aspnet_compiler.exe, 00000016.00000002.2743267917.0000000000FE7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: aspnet_compiler.pdbmpiler.pdbpdbler.pdbompiler.pdbu source: aspnet_compiler.exe, 00000016.00000002.2743267917.0000000000FE7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: \??\C:\Windows\aspnet_compiler.pdb* source: aspnet_compiler.exe, 00000016.00000002.2746693055.0000000006740000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.pdb| source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: System.Core.pdb source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\aspnet_compiler.PDB source: aspnet_compiler.exe, 00000016.00000002.2743267917.0000000000FE7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: aspnet_compiler.pdb source: aspnet_compiler.exe, 00000016.00000002.2746693055.0000000006779000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000016.00000002.2743267917.0000000000FE7000.00000004.00000010.00020000.00000000.sdmp, aspnet_compiler.exe, 00000016.00000000.2666599950.0000000000E52000.00000002.00000001.01000000.00000007.sdmp, aspnet_compiler.exe.0.dr
                  Source: Binary string: \??\C:\Windows\symbols\exe\aspnet_compiler.pdb source: aspnet_compiler.exe, 00000016.00000002.2746693055.0000000006740000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\aspnet_compiler.pdb source: aspnet_compiler.exe, 00000016.00000002.2746693055.0000000006740000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: System.ni.pdb source: WERC146.tmp.dmp.25.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WERC146.tmp.dmp.25.dr

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: 0.2.3vj5tYFb6a.exe.5090000.9.raw.unpack, eq38wbJIFbrep7POmEO.cs.Net Code: Type.GetTypeFromHandle(Le2jV7ixGP6fC9nKmma.uQxBWdNAFF(16777338)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(Le2jV7ixGP6fC9nKmma.uQxBWdNAFF(16777253)),Type.GetTypeFromHandle(Le2jV7ixGP6fC9nKmma.uQxBWdNAFF(16777300))})
                  Source: 0.2.3vj5tYFb6a.exe.3c63610.7.raw.unpack, eq38wbJIFbrep7POmEO.cs.Net Code: Type.GetTypeFromHandle(Le2jV7ixGP6fC9nKmma.uQxBWdNAFF(16777338)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(Le2jV7ixGP6fC9nKmma.uQxBWdNAFF(16777253)),Type.GetTypeFromHandle(Le2jV7ixGP6fC9nKmma.uQxBWdNAFF(16777300))})
                  Source: 0.2.3vj5tYFb6a.exe.3be35f0.6.raw.unpack, eq38wbJIFbrep7POmEO.cs.Net Code: Type.GetTypeFromHandle(Le2jV7ixGP6fC9nKmma.uQxBWdNAFF(16777338)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(Le2jV7ixGP6fC9nKmma.uQxBWdNAFF(16777253)),Type.GetTypeFromHandle(Le2jV7ixGP6fC9nKmma.uQxBWdNAFF(16777300))})
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeCode function: 0_2_01070D80 pushfd ; retf 0_2_01070D81
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeCode function: 0_2_01070CD0 pushad ; retf 0_2_01070D11
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeCode function: 0_2_011359C2 push ebp; retf 0_2_011359C8
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeCode function: 0_2_01135A01 push ss; retf 0_2_01135A07
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeCode function: 0_2_05AE9F7B push edi; retn 0080h0_2_05AE9F7D
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeCode function: 22_2_016A2AD7 push 00000001h; iretd 22_2_016A2B70
                  Source: 3vj5tYFb6a.exeStatic PE information: 0xC2FC6181 [Wed Aug 30 11:58:57 2073 UTC]
                  Source: initial sampleStatic PE information: section name: .text entropy: 6.830640750171603
                  Source: initial sampleStatic PE information: section name: .text entropy: 6.830640750171603
                  Source: 0.2.3vj5tYFb6a.exe.5090000.9.raw.unpack, eq38wbJIFbrep7POmEO.csHigh entropy of concatenated method names: 'tRDxNFg25lXMpc4XOMV', 'AFlVQNgWYUFc3vcg5kY', 'haDRGpGI3w', 'kjFuFOgLPLA2NPnkPbI', 'EjIu8mgbcEtcfxlAQ8Z', 'CogcfYg4viT4XbNbQm8', 'NJK0HP6bbE', 'E0FiS7xLUt', 'bNsiU3ROXw', 'M40iAIYai7'
                  Source: 0.2.3vj5tYFb6a.exe.5090000.9.raw.unpack, HN9KIJUeHH44DgKwGf5.csHigh entropy of concatenated method names: 'fkQUc2s4Qo', 'NC0UEEkLfP', 'ADAUO2gK8D', 'cJiUl5jhgU', 'xVR3csInqmPPQI64IBf', 'Wqui2LINHnPqYRnKJsi', 'jJIcy6IXEdtVeZfnBQp', 'bRZB0tI71W4mlFsYhai'
                  Source: 0.2.3vj5tYFb6a.exe.5090000.9.raw.unpack, oW8Qx78jXxe0ygXvhVf.csHigh entropy of concatenated method names: 'sPO8Q4ZxMV', 'Ujv81bemJu', 'Xkl8nwtVno', 'APMEjYHND2qAn2mZalC', 'dSHlNiHXWAHFXkkBbvo', 'FFO8ORwJxa', 'Tpn8la1i24', 'um18PxYd2o', 'm1n8yJyTHF', 'i4m8cGdQja'
                  Source: 0.2.3vj5tYFb6a.exe.5090000.9.raw.unpack, DvwIIBVkatmMZZN5yy.csHigh entropy of concatenated method names: 'GcpW9LmF4', 'PsdddZduS', 'ub2F5D2pK', 'TeIqgbZGe', 'uRWL6eBGO', 'EFxbHFtmI', 'wDQ4WeCXu', 'twDv7kmVS', 'nDLpKPtxW', 'N1Te2EED8'
                  Source: 0.2.3vj5tYFb6a.exe.5090000.9.raw.unpack, SVEb4x3TpIPjn5HQEJ.csHigh entropy of concatenated method names: 'ctcHXwje0', 'cNLgM1qyb', 'znfBl8Qg6', 'nZeQbSbge', 'cE81cGrjA', 'NX5nnB0Ix', 'f8DNbhys5', 'zk5XIsp59', 'xZY7T0773', 'HGBDAT3Gvp0LjbssJM4'
                  Source: 0.2.3vj5tYFb6a.exe.5090000.9.raw.unpack, khSvEaANCK3T70tyssQ.csHigh entropy of concatenated method names: 'sE6ALiwEEn', 'uOkN3oI96qbAVufMUgl', 'IIHJpYI654bsYkUwYCq', 'St2A7gEZU0', 'nQ7AW2im48', 'BtvAVG3HDy', 'JxlA2NnbcT', 'JR14MoIyfjFDcp4LLkq', 'WrYe0IIDyYG1YboDlrm', 'W19mr0Ir0gAQNE0sJMG'
                  Source: 0.2.3vj5tYFb6a.exe.3c63610.7.raw.unpack, eq38wbJIFbrep7POmEO.csHigh entropy of concatenated method names: 'tRDxNFg25lXMpc4XOMV', 'AFlVQNgWYUFc3vcg5kY', 'haDRGpGI3w', 'kjFuFOgLPLA2NPnkPbI', 'EjIu8mgbcEtcfxlAQ8Z', 'CogcfYg4viT4XbNbQm8', 'NJK0HP6bbE', 'E0FiS7xLUt', 'bNsiU3ROXw', 'M40iAIYai7'
                  Source: 0.2.3vj5tYFb6a.exe.3c63610.7.raw.unpack, HN9KIJUeHH44DgKwGf5.csHigh entropy of concatenated method names: 'fkQUc2s4Qo', 'NC0UEEkLfP', 'ADAUO2gK8D', 'cJiUl5jhgU', 'xVR3csInqmPPQI64IBf', 'Wqui2LINHnPqYRnKJsi', 'jJIcy6IXEdtVeZfnBQp', 'bRZB0tI71W4mlFsYhai'
                  Source: 0.2.3vj5tYFb6a.exe.3c63610.7.raw.unpack, oW8Qx78jXxe0ygXvhVf.csHigh entropy of concatenated method names: 'sPO8Q4ZxMV', 'Ujv81bemJu', 'Xkl8nwtVno', 'APMEjYHND2qAn2mZalC', 'dSHlNiHXWAHFXkkBbvo', 'FFO8ORwJxa', 'Tpn8la1i24', 'um18PxYd2o', 'm1n8yJyTHF', 'i4m8cGdQja'
                  Source: 0.2.3vj5tYFb6a.exe.3c63610.7.raw.unpack, DvwIIBVkatmMZZN5yy.csHigh entropy of concatenated method names: 'GcpW9LmF4', 'PsdddZduS', 'ub2F5D2pK', 'TeIqgbZGe', 'uRWL6eBGO', 'EFxbHFtmI', 'wDQ4WeCXu', 'twDv7kmVS', 'nDLpKPtxW', 'N1Te2EED8'
                  Source: 0.2.3vj5tYFb6a.exe.3c63610.7.raw.unpack, SVEb4x3TpIPjn5HQEJ.csHigh entropy of concatenated method names: 'ctcHXwje0', 'cNLgM1qyb', 'znfBl8Qg6', 'nZeQbSbge', 'cE81cGrjA', 'NX5nnB0Ix', 'f8DNbhys5', 'zk5XIsp59', 'xZY7T0773', 'HGBDAT3Gvp0LjbssJM4'
                  Source: 0.2.3vj5tYFb6a.exe.3c63610.7.raw.unpack, khSvEaANCK3T70tyssQ.csHigh entropy of concatenated method names: 'sE6ALiwEEn', 'uOkN3oI96qbAVufMUgl', 'IIHJpYI654bsYkUwYCq', 'St2A7gEZU0', 'nQ7AW2im48', 'BtvAVG3HDy', 'JxlA2NnbcT', 'JR14MoIyfjFDcp4LLkq', 'WrYe0IIDyYG1YboDlrm', 'W19mr0Ir0gAQNE0sJMG'
                  Source: 0.2.3vj5tYFb6a.exe.3be35f0.6.raw.unpack, eq38wbJIFbrep7POmEO.csHigh entropy of concatenated method names: 'tRDxNFg25lXMpc4XOMV', 'AFlVQNgWYUFc3vcg5kY', 'haDRGpGI3w', 'kjFuFOgLPLA2NPnkPbI', 'EjIu8mgbcEtcfxlAQ8Z', 'CogcfYg4viT4XbNbQm8', 'NJK0HP6bbE', 'E0FiS7xLUt', 'bNsiU3ROXw', 'M40iAIYai7'
                  Source: 0.2.3vj5tYFb6a.exe.3be35f0.6.raw.unpack, HN9KIJUeHH44DgKwGf5.csHigh entropy of concatenated method names: 'fkQUc2s4Qo', 'NC0UEEkLfP', 'ADAUO2gK8D', 'cJiUl5jhgU', 'xVR3csInqmPPQI64IBf', 'Wqui2LINHnPqYRnKJsi', 'jJIcy6IXEdtVeZfnBQp', 'bRZB0tI71W4mlFsYhai'
                  Source: 0.2.3vj5tYFb6a.exe.3be35f0.6.raw.unpack, oW8Qx78jXxe0ygXvhVf.csHigh entropy of concatenated method names: 'sPO8Q4ZxMV', 'Ujv81bemJu', 'Xkl8nwtVno', 'APMEjYHND2qAn2mZalC', 'dSHlNiHXWAHFXkkBbvo', 'FFO8ORwJxa', 'Tpn8la1i24', 'um18PxYd2o', 'm1n8yJyTHF', 'i4m8cGdQja'
                  Source: 0.2.3vj5tYFb6a.exe.3be35f0.6.raw.unpack, DvwIIBVkatmMZZN5yy.csHigh entropy of concatenated method names: 'GcpW9LmF4', 'PsdddZduS', 'ub2F5D2pK', 'TeIqgbZGe', 'uRWL6eBGO', 'EFxbHFtmI', 'wDQ4WeCXu', 'twDv7kmVS', 'nDLpKPtxW', 'N1Te2EED8'
                  Source: 0.2.3vj5tYFb6a.exe.3be35f0.6.raw.unpack, SVEb4x3TpIPjn5HQEJ.csHigh entropy of concatenated method names: 'ctcHXwje0', 'cNLgM1qyb', 'znfBl8Qg6', 'nZeQbSbge', 'cE81cGrjA', 'NX5nnB0Ix', 'f8DNbhys5', 'zk5XIsp59', 'xZY7T0773', 'HGBDAT3Gvp0LjbssJM4'
                  Source: 0.2.3vj5tYFb6a.exe.3be35f0.6.raw.unpack, khSvEaANCK3T70tyssQ.csHigh entropy of concatenated method names: 'sE6ALiwEEn', 'uOkN3oI96qbAVufMUgl', 'IIHJpYI654bsYkUwYCq', 'St2A7gEZU0', 'nQ7AW2im48', 'BtvAVG3HDy', 'JxlA2NnbcT', 'JR14MoIyfjFDcp4LLkq', 'WrYe0IIDyYG1YboDlrm', 'W19mr0Ir0gAQNE0sJMG'

                  Persistence and Installation Behavior

                  barindex
                  Uses ipconfig to lookup or modify the Windows network settings
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /release
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeFile created: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeJump to dropped file
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chronv.exeJump to dropped file

                  Boot Survival

                  barindex
                  Creates an undocumented autostart registry key
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chronv.exeJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chronv.exe\:Zone.Identifier:$DATAJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exe TID: 5812Thread sleep time: -33000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exe TID: 4724Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184Thread sleep count: 861 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7188Thread sleep count: 322 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7204Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7380Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7500Thread sleep count: 4349 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7504Thread sleep count: 4735 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7536Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7648Thread sleep count: 4290 > 30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7648Thread sleep count: 4994 > 30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7684Thread sleep time: -11068046444225724s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7904Thread sleep time: -17524406870024063s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5560Thread sleep count: 3492 > 30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4332Thread sleep count: 5878 > 30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7172Thread sleep time: -13835058055282155s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3116Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe TID: 7716Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe TID: 7716Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe TID: 7720Thread sleep count: 594 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe TID: 7716Thread sleep time: -599890s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe TID: 7720Thread sleep count: 1397 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe TID: 7716Thread sleep time: -599781s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe TID: 7716Thread sleep time: -599672s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe TID: 7716Thread sleep time: -599562s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe TID: 7716Thread sleep time: -599449s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe TID: 7716Thread sleep time: -599343s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe TID: 7716Thread sleep time: -599234s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe TID: 7716Thread sleep time: -599118s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe TID: 7716Thread sleep time: -599015s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe TID: 7716Thread sleep time: -595804s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeThread delayed: delay time: 599672Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeThread delayed: delay time: 599449Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeThread delayed: delay time: 599343Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeThread delayed: delay time: 599234Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeThread delayed: delay time: 599118Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeThread delayed: delay time: 599015Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeThread delayed: delay time: 595804Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 861Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3508Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5786Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4349Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4735Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4290
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4994
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4398
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5051
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3492
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5878
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1178Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeWindow / User API: threadDelayed 594Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeWindow / User API: threadDelayed 1397Jump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeThread delayed: delay time: 599672Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeThread delayed: delay time: 599449Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeThread delayed: delay time: 599343Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeThread delayed: delay time: 599234Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeThread delayed: delay time: 599118Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeThread delayed: delay time: 599015Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeThread delayed: delay time: 595804Jump to behavior
                  Source: Amcache.hve.25.drBinary or memory string: VMware
                  Source: Amcache.hve.25.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.25.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.25.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.25.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.25.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.25.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.25.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.25.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.25.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.25.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.25.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: aspnet_compiler.exe, 00000016.00000002.2743593917.0000000001526000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: Amcache.hve.25.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.25.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                  Source: Amcache.hve.25.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.25.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: Amcache.hve.25.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.25.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.25.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.25.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.25.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.25.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.25.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.25.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.25.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.25.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.25.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.25.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.25.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeMemory written: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe base: 400000Jump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeMemory written: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe base: 402000Jump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeMemory written: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe base: 422000Jump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeMemory written: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe base: 424000Jump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeMemory written: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe base: 108B008Jump to behavior
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeMemory allocated: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe base: 400000 protect: page execute and read and writeJump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeMemory written: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /releaseJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.comJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.comJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.comJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.comJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.comJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /renewJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeProcess created: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /releaseJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /renewJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeQueries volume information: C:\Users\user\Desktop\3vj5tYFb6a.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\3vj5tYFb6a.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: Amcache.hve.25.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.25.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.25.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.25.drBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3cfb7f0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000016.00000002.2743161051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2690950066.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2690950066.0000000003CB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2690458714.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.2745588787.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 3vj5tYFb6a.exe PID: 2640, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 7512, type: MEMORYSTR
                  Yara detected zgRAT
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3c63610.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.5090000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3c63610.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.5090000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3b835b0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3b835b0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3ba35d0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3be35f0.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3ba35d0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3be35f0.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2691462788.0000000005090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3cfb7f0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000016.00000002.2743161051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2690950066.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2690950066.0000000003CB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2690458714.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 3vj5tYFb6a.exe PID: 2640, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 7512, type: MEMORYSTR
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3cfb7f0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000016.00000002.2743161051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2690950066.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2690950066.0000000003CB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2690458714.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 3vj5tYFb6a.exe PID: 2640, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 7512, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3cfb7f0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000016.00000002.2743161051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2690950066.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2690950066.0000000003CB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2690458714.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.2745588787.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 3vj5tYFb6a.exe PID: 2640, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 7512, type: MEMORYSTR
                  Yara detected zgRAT
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3c63610.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.5090000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3c63610.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.5090000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3b835b0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3b835b0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3ba35d0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3be35f0.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3ba35d0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3be35f0.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2691462788.0000000005090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3cfb7f0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3d51ac0.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.3vj5tYFb6a.exe.3d29aa0.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000016.00000002.2743161051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2690950066.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2690950066.0000000003CB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2690458714.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 3vj5tYFb6a.exe PID: 2640, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 7512, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation11
                  Registry Run Keys / Startup Folder                  		311
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping121
                  Security Software Discovery                  		Remote Services11
                  Archive Collected Data                  		Exfiltration Over Other Network Medium11
                  Encrypted Channel                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
                  Registry Run Keys / Startup Folder                  		1
                  Disable or Modify Tools                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth3
                  Ingress Tool Transfer                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
                  Virtualization/Sandbox Evasion                  		Security Account Manager31
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
                  Non-Application Layer Protocol                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)311
                  Process Injection                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput CaptureScheduled Transfer14
                  Application Layer Protocol                  		SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets11
                  System Network Configuration Discovery                  		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common2
                  Obfuscated Files or Information                  		Cached Domain Credentials1
                  File and Directory Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items11
                  Software Packing                  		DCSync12
                  System Information Discovery                  		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                  Timestomp                  		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1334037 Sample: 3vj5tYFb6a.exe Startdate: 30/10/2023 Architecture: WINDOWS Score: 100 44 checkip.dyndns.org 2->44 46 www.google.com 2->46 48 3 other IPs or domains 2->48 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for dropped file 2->60 62 8 other signatures 2->62 8 3vj5tYFb6a.exe 6 2->8         started        signatures3 process4 file5 40 C:\Users\user\AppData\Roaming\...\chronv.exe, PE32 8->40 dropped 42 C:\Users\user\AppData\...\aspnet_compiler.exe, PE32 8->42 dropped 64 Creates an undocumented autostart registry key 8->64 66 Writes to foreign memory regions 8->66 68 Allocates memory in foreign processes 8->68 70 Injects a PE file into a foreign processes 8->70 12 powershell.exe 7 8->12         started        15 aspnet_compiler.exe 15 2 8->15         started        18 powershell.exe 7 8->18         started        20 6 other processes 8->20 signatures6 process7 dnsIp8 72 Uses ipconfig to lookup or modify the Windows network settings 12->72 22 conhost.exe 12->22         started        24 ipconfig.exe 1 12->24         started        50 checkip.dyndns.com 193.122.6.168, 49720, 80 ORACLE-BMC-31898US United States 15->50 52 ipbase.com 104.21.28.190, 443, 49722 CLOUDFLARENETUS United States 15->52 54 freegeoip.app 172.67.160.84, 443, 49721 CLOUDFLARENETUS United States 15->54 26 WerFault.exe 15->26         started        28 conhost.exe 18->28         started        30 ipconfig.exe 1 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 20->34         started        36 conhost.exe 20->36         started        38 2 other processes 20->38 signatures9 process10

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  3vj5tYFb6a.exe62%ReversingLabsByteCode-MSIL.Trojan.Zilla
                  3vj5tYFb6a.exe63%VirustotalBrowse
                  3vj5tYFb6a.exe100%AviraTR/Dldr.Agent.mrjvn

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chronv.exe100%AviraTR/Dldr.Agent.mrjvn
                  C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe0%VirustotalBrowse
                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chronv.exe62%ReversingLabsByteCode-MSIL.Trojan.Zilla
                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chronv.exe63%VirustotalBrowse

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  ipbase.com0%VirustotalBrowse
                  freegeoip.app0%VirustotalBrowse
                  checkip.dyndns.com0%VirustotalBrowse
                  checkip.dyndns.org0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://checkip.dyndns.org/0%URL Reputationsafe
                  http://checkip.dyndns.org/q0%URL Reputationsafe
                  http://checkip.dyndns.org0%URL Reputationsafe
                  http://checkip.dyndns.com0%URL Reputationsafe
                  http://ipbase.com0%VirustotalBrowse
                  https://ipbase.com0%Avira URL Cloudsafe
                  https://freegeoip.app/xml/0%Avira URL Cloudsafe
                  https://freegeoip.app/xml/154.16.49.820%Avira URL Cloudsafe
                  http://ipbase.com0%Avira URL Cloudsafe
                  https://freegeoip.app0%Avira URL Cloudsafe
                  http://freegeoip.app0%Avira URL Cloudsafe
                  https://freegeoip.app1%VirustotalBrowse
                  https://answers.netlify.com/t/support-guide-i-ve-deployed-my-site-but-i-still-see-page-not-found/1250%Avira URL Cloudsafe
                  https://ipbase.com/xml/154.16.49.820%Avira URL Cloudsafe
                  https://ipbase.com1%VirustotalBrowse
                  http://freegeoip.app0%VirustotalBrowse
                  https://answers.netlify.com/t/support-guide-i-ve-deployed-my-site-but-i-still-see-page-not-found/1250%VirustotalBrowse
                  https://freegeoip.app/xml/1%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  www.google.com
                  		142.250.31.105
                  		truefalse
                    		high
                    ipbase.com
                    		104.21.28.190
                    		truefalseunknown
                    freegeoip.app
                    		172.67.160.84
                    		truefalseunknown
                    checkip.dyndns.com
                    		193.122.6.168
                    		truefalseunknown
                    checkip.dyndns.org
                    		unknown
                    		unknowntrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://checkip.dyndns.org/false
                    • URL Reputation: safe
                    		unknown
                    https://freegeoip.app/xml/154.16.49.82false
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipbase.com/xml/154.16.49.82false
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://freegeoip.app/xml/3vj5tYFb6a.exe, 00000000.00000002.2690950066.0000000003CB6000.00000004.00000800.00020000.00000000.sdmp, 3vj5tYFb6a.exe, 00000000.00000002.2690458714.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, 3vj5tYFb6a.exe, 00000000.00000002.2690950066.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000016.00000002.2745588787.00000000030DE000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000016.00000002.2743161051.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://ipbase.comaspnet_compiler.exe, 00000016.00000002.2745588787.000000000311D000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.telegram.org/bot3vj5tYFb6a.exe, 00000000.00000002.2690950066.0000000003CB6000.00000004.00000800.00020000.00000000.sdmp, 3vj5tYFb6a.exe, 00000000.00000002.2690458714.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, 3vj5tYFb6a.exe, 00000000.00000002.2690950066.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000016.00000002.2743161051.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                      		high
                      http://checkip.dyndns.org/q3vj5tYFb6a.exe, 00000000.00000002.2690950066.0000000003CB6000.00000004.00000800.00020000.00000000.sdmp, 3vj5tYFb6a.exe, 00000000.00000002.2690458714.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, 3vj5tYFb6a.exe, 00000000.00000002.2690950066.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000016.00000002.2743161051.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://freegeoip.appaspnet_compiler.exe, 00000016.00000002.2745588787.00000000030DE000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://upx.sf.netAmcache.hve.25.drfalse
                        		high
                        http://checkip.dyndns.orgaspnet_compiler.exe, 00000016.00000002.2745588787.00000000030DE000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000016.00000002.2745588787.00000000030D3000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://checkip.dyndns.comaspnet_compiler.exe, 00000016.00000002.2745588787.00000000030DE000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameaspnet_compiler.exe, 00000016.00000002.2745588787.0000000003021000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://ipbase.comaspnet_compiler.exe, 00000016.00000002.2745588787.000000000311D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://freegeoip.appaspnet_compiler.exe, 00000016.00000002.2745588787.00000000030FF000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://answers.netlify.com/t/support-guide-i-ve-deployed-my-site-but-i-still-see-page-not-found/125aspnet_compiler.exe, 00000016.00000002.2745588787.0000000003115000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000016.00000002.2745588787.000000000317B000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          193.122.6.168
                          		checkip.dyndns.comUnited States
                          		31898ORACLE-BMC-31898USfalse
                          104.21.28.190
                          		ipbase.comUnited States
                          		13335CLOUDFLARENETUSfalse
                          172.67.160.84
                          		freegeoip.appUnited States
                          		13335CLOUDFLARENETUSfalse

                          General Information

                          Joe Sandbox Version:38.0.0 Ammolite
                          Analysis ID:1334037
                          Start date and time:2023-10-30 06:46:10 +01:00
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 8m 34s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:26
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample file name:3vj5tYFb6a.exe
                          renamed because original name is a hash value
                          Original Sample Name:10243ce788b5dcbbf248058fe196f371.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@30/24@4/3
                          EGA Information:
                          • Successful, ratio: 50%
                          HCA Information:
                          • Successful, ratio: 82%
                          • Number of executed functions: 60
                          • Number of non-executed functions: 6
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Override analysis time to 240s for sample based on specific behavior
                          • Stop behavior analysis, all processes terminated

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 20.189.173.22
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target aspnet_compiler.exe, PID 7512 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtOpenFile calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • Report size getting too big, too many NtSetInformationFile calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          06:47:02API Interceptor176x Sleep call for process: powershell.exe modified
                          06:48:00API Interceptor3x Sleep call for process: 3vj5tYFb6a.exe modified
                          06:48:06API Interceptor11x Sleep call for process: aspnet_compiler.exe modified
                          06:48:10API Interceptor1x Sleep call for process: WerFault.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          193.122.6.168SecuriteInfo.com.Win32.KeyloggerX-gen.24670.4764.exeGet hashmaliciousSnake KeyloggerBrowse
                          • checkip.dyndns.org/
                          Hesaphareketi-01.exeGet hashmaliciousSnake KeyloggerBrowse
                          • checkip.dyndns.org/
                          New_product.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                          • checkip.dyndns.org/
                          Design.bat.exeGet hashmaliciousSnake KeyloggerBrowse
                          • checkip.dyndns.org/
                          swift.txt.exeGet hashmaliciousSnake KeyloggerBrowse
                          • checkip.dyndns.org/
                          report_for_4-October-2023.exeGet hashmaliciousAgentTesla, Snake KeyloggerBrowse
                          • checkip.dyndns.org/
                          POkxzw7w3D.exeGet hashmaliciousAgentTesla, Snake KeyloggerBrowse
                          • checkip.dyndns.org/
                          payment_confirmation.exeGet hashmaliciousSnake KeyloggerBrowse
                          • checkip.dyndns.org/
                          zipsetup_(2).exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                          • checkip.dyndns.org/
                          (13).mp4.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                          • checkip.dyndns.org/
                          sister_live_broadcast_setup.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                          • checkip.dyndns.org/
                          1106#U3010#U770b#U76f4#U64ad#U3011#U79d2#U770b#U7535#U89c6.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                          • checkip.dyndns.org/
                          WALLHACK_CRACK_Roblox_by_PREDATOR.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                          • checkip.dyndns.org/
                          43ssYWDRhs.exeGet hashmaliciousAgentTesla, Snake KeyloggerBrowse
                          • checkip.dyndns.org/
                          cpulock.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                          • checkip.dyndns.org/
                          MJSEAUC.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                          • checkip.dyndns.org/
                          hesaphareketi-01.exeGet hashmaliciousSnake KeyloggerBrowse
                          • checkip.dyndns.org/
                          HCAP1Wys0F.exeGet hashmaliciousSnake KeyloggerBrowse
                          • checkip.dyndns.org/
                          Nmtdeo.exeGet hashmaliciousSnake KeyloggerBrowse
                          • checkip.dyndns.org/
                          08A347B6-6FB3-4B5E-9A49-9EC1E49DF8F1.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                          • checkip.dyndns.org/

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          ipbase.com7nYkVlcnfx.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 172.67.147.81
                          bcAE21roAv.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 172.67.147.81
                          VegaStealer_v1.bin.exeGet hashmaliciousAdes Stealer, NitroStealerBrowse
                          • 75.2.60.5
                          Yandex.bin.exeGet hashmalicious44Caliber Stealer, Rags StealerBrowse
                          • 75.2.60.5
                          SPYGAME.bin.exeGet hashmalicious44Caliber Stealer, Rags StealerBrowse
                          • 75.2.60.5
                          A6KiC17VqI.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 75.2.60.5
                          TwB13kUEGN.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 75.2.60.5
                          w5gL8sZU6z.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 99.83.231.61
                          k2Bg5AlSk1.exeGet hashmaliciousMassLogger RAT, Matiex, Snake KeyloggerBrowse
                          • 75.2.60.5
                          vYT3XBi8du.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 99.83.231.61
                          CJCxcYxjhF.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 99.83.231.61
                          g95CmPy67V.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 75.2.60.5
                          nesbiPpHpN.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 99.83.231.61
                          M6VkStAYfV.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 99.83.231.61
                          2yecaxS2wK.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 75.2.60.5
                          058J3H4iEy.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 75.2.60.5
                          jINnuKt8Yz.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 75.2.60.5
                          XuwCD7R8y8.exeGet hashmalicious44Caliber Stealer, Rags StealerBrowse
                          • 99.83.231.61
                          BOI_PAYMENT_KGA_INV._GE210228C_ADVANCE_YATANDZA.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 99.83.231.61
                          WLIV3a3E5t.exeGet hashmaliciousNjrat, RL STEALER, StormKittyBrowse
                          • 99.83.231.61
                          freegeoip.app7nYkVlcnfx.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 172.67.160.84
                          bcAE21roAv.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 104.21.73.97
                          VegaStealer_v1.bin.exeGet hashmaliciousAdes Stealer, NitroStealerBrowse
                          • 104.21.73.97
                          Yandex.bin.exeGet hashmalicious44Caliber Stealer, Rags StealerBrowse
                          • 172.67.160.84
                          SPYGAME.bin.exeGet hashmalicious44Caliber Stealer, Rags StealerBrowse
                          • 104.21.73.97
                          A6KiC17VqI.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 188.114.97.7
                          TwB13kUEGN.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 188.114.96.7
                          w5gL8sZU6z.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 188.114.97.7
                          k2Bg5AlSk1.exeGet hashmaliciousMassLogger RAT, Matiex, Snake KeyloggerBrowse
                          • 188.114.97.7
                          vYT3XBi8du.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 188.114.97.7
                          CJCxcYxjhF.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 188.114.96.7
                          g95CmPy67V.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 188.114.97.7
                          nesbiPpHpN.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 188.114.96.7
                          M6VkStAYfV.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 188.114.97.7
                          2yecaxS2wK.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 188.114.96.7
                          058J3H4iEy.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 188.114.97.7
                          jINnuKt8Yz.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 188.114.97.13
                          XuwCD7R8y8.exeGet hashmalicious44Caliber Stealer, Rags StealerBrowse
                          • 188.114.96.7
                          BOI_PAYMENT_KGA_INV._GE210228C_ADVANCE_YATANDZA.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 188.114.97.7
                          WLIV3a3E5t.exeGet hashmaliciousNjrat, RL STEALER, StormKittyBrowse
                          • 188.114.97.7
                          www.google.comto62eBFVj5.exeGet hashmaliciousAmadey, Babadeda, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, XmrigBrowse
                          • 142.251.111.94
                          file.exeGet hashmaliciousAmadey, Babadeda, Mystic Stealer, RedLine, SmokeLoader, Xmrig, zgRATBrowse
                          • 142.251.167.106
                          Setup.msiGet hashmaliciousUnknownBrowse
                          • 172.253.115.104
                          Setup.msiGet hashmaliciousUnknownBrowse
                          • 173.194.68.104
                          https://www.paypal-support.com/s/?language=en_USGet hashmaliciousUnknownBrowse
                          • 142.251.16.104
                          https://szyuanshengheng.com/Rakuten/index.phpGet hashmaliciousUnknownBrowse
                          • 172.253.62.103
                          https://ktgfasudg.xyz/login.phpGet hashmaliciousUnknownBrowse
                          • 142.251.16.99
                          https://app10.runmags.com/Get hashmaliciousUnknownBrowse
                          • 172.253.115.104
                          https://kuroneko-yamato-service.shop/Get hashmaliciousUnknownBrowse
                          • 172.253.63.99
                          https://pub-76f3c6b706914e5fbef629ba3dd600e5.r2.dev/emailverification.htmlGet hashmaliciousHTMLPhisherBrowse
                          • 142.251.16.104
                          https://pub-d474e286b25f4c1e9e78e12ca8e5c0b5.r2.dev/new.htmlGet hashmaliciousHTMLPhisherBrowse
                          • 172.253.63.105
                          https://cmscbsmcoenad.crpafma.cn/Get hashmaliciousUnknownBrowse
                          • 172.253.115.147
                          https://pub-bc913ad4eea644849b0a3bec6b515044.r2.dev/Authentication010.htmlGet hashmaliciousHTMLPhisherBrowse
                          • 172.253.63.99
                          https://wallet.cloudwalletconnect.com/Get hashmaliciousUnknownBrowse
                          • 142.251.16.105
                          https://staemcomrnunitly.ru/Get hashmaliciousUnknownBrowse
                          • 142.251.16.99
                          https://jhgktnf.com/?loginid=8d005990345bbf28d24f036f227a66d4-etc-co-jphttps://jhgktnf.com/?loginid=8d005990345bbf28d24f036f227a66d4-etc-co-jpGet hashmaliciousUnknownBrowse
                          • 172.253.62.147
                          https://www.smbcs.life/Get hashmaliciousUnknownBrowse
                          • 172.253.63.99
                          https://stearncomunitly.ru/Get hashmaliciousUnknownBrowse
                          • 172.253.122.106
                          https://co.jp.smbc.uewiwjpman.com/Get hashmaliciousUnknownBrowse
                          • 142.251.167.106
                          https://panda-marine.com/Get hashmaliciousUnknownBrowse
                          • 142.251.16.147

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          ORACLE-BMC-31898USSB0G28XC.bat.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 158.101.44.242
                          CI_84394.cmd.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 158.101.44.242
                          file.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 193.122.130.0
                          https://updateapponplaystore.blogspot.com/Get hashmaliciousHTMLPhisherBrowse
                          • 193.122.128.135
                          https://netflix-membership-bd.blogspot.com/Get hashmaliciousHTMLPhisherBrowse
                          • 193.122.130.38
                          https://shabdndjwinn.blogspot.com/?m=1Get hashmaliciousHTMLPhisherBrowse
                          • 193.122.130.38
                          https://watchnownetflix.blogspot.com/Get hashmaliciousHTMLPhisherBrowse
                          • 150.136.156.92
                          https://freefireenewgames.blogspot.com/Get hashmaliciousHTMLPhisherBrowse
                          • 193.122.130.38
                          https://netflixaccountloginpage.blogspot.com/Get hashmaliciousHTMLPhisherBrowse
                          • 150.136.156.92
                          https://freenetflixxaccontcom.blogspot.com/Get hashmaliciousHTMLPhisherBrowse
                          • 150.136.25.38
                          https://govtjao.blogspot.com/Get hashmaliciousHTMLPhisherBrowse
                          • 193.122.128.135
                          aILzoYwXdz.elfGet hashmaliciousMiraiBrowse
                          • 147.154.227.187
                          uM5nD8x8pc.elfGet hashmaliciousMiraiBrowse
                          • 144.25.108.223
                          https://www.google.com/url?q=https://nwp0otxd.page.link/RtQw&sa=D&source=editors&ust=1698325187920038&usg=AOvVaw0mg0cllXFrqTmYcNPBcAu6Get hashmaliciousUnknownBrowse
                          • 150.136.25.38
                          https://3h2cuxg1.page.link/naxz&sa=D&source=editors&ust=1698325144367624&usg=AOvVaw04Zt9ypPNZfaUBkeZWuoTXGet hashmaliciousUnknownBrowse
                          • 150.136.25.38
                          https://objectstorage.eu-frankfurt-1.oraclecloud.com/n/frdtal0a81zt/b/367489493903puz35647389302/o/microsoftonline.htmGet hashmaliciousHTMLPhisherBrowse
                          • 134.70.40.1
                          08A347B6-6FB3-4B5E-9A49-9EC1E49DF8F1.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 193.122.130.0
                          PIsazVgJR4.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 193.122.130.0
                          Request_for_Quotation_-E23101031.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 193.122.130.0
                          x86.elfGet hashmaliciousMiraiBrowse
                          • 130.61.168.172
                          CLOUDFLARENETUSSInterpipeF23101016100.exeGet hashmaliciousAzorult, GuLoaderBrowse
                          • 172.67.135.37
                          Setup.msiGet hashmaliciousUnknownBrowse
                          • 172.64.41.3
                          claim_video_Hotel291023.mp4.exeGet hashmaliciousUnknownBrowse
                          • 172.67.142.121
                          RlnsLbBlGs.exeGet hashmaliciousAmadey, Babadeda, Mystic Stealer, RedLine, SmokeLoader, zgRATBrowse
                          • 172.64.145.151
                          iqkmyhUCPE.exeGet hashmaliciousAmadey, Babadeda, Glupteba, Mystic Stealer, RedLine, SmokeLoader, zgRATBrowse
                          • 104.21.20.155
                          15gYWTX34t.exeGet hashmaliciousAmadey, Babadeda, Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoaderBrowse
                          • 104.21.20.155
                          lCP5KtcDIS.exeGet hashmaliciousAmadey, Babadeda, Glupteba, Mystic Stealer, RedLine, SmokeLoader, zgRATBrowse
                          • 104.21.20.155
                          aObYrZt59C.exeGet hashmaliciousAmadey, Babadeda, Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoaderBrowse
                          • 172.64.146.120
                          https://kuroneko-yamato-service.shop/Get hashmaliciousUnknownBrowse
                          • 104.17.24.14
                          https://pub-76f3c6b706914e5fbef629ba3dd600e5.r2.dev/emailverification.htmlGet hashmaliciousHTMLPhisherBrowse
                          • 104.18.2.35
                          1ikKTZZ7De.exeGet hashmaliciousAmadey, Babadeda, Mystic Stealer, RedLine, SmokeLoader, zgRATBrowse
                          • 104.19.218.90
                          https://pub-d474e286b25f4c1e9e78e12ca8e5c0b5.r2.dev/new.htmlGet hashmaliciousHTMLPhisherBrowse
                          • 104.18.2.35
                          NWzDZBgPhA.exeGet hashmaliciousRedLineBrowse
                          • 104.20.67.143
                          NWzDZBgPhA.exeGet hashmaliciousRedLineBrowse
                          • 104.20.67.143
                          https://pub-bc913ad4eea644849b0a3bec6b515044.r2.dev/Authentication010.htmlGet hashmaliciousHTMLPhisherBrowse
                          • 104.17.25.14
                          https://wallet.cloudwalletconnect.com/Get hashmaliciousUnknownBrowse
                          • 104.18.35.15
                          https://staemcomrnunitly.ru/Get hashmaliciousUnknownBrowse
                          • 104.21.34.147
                          https://stearncomunitly.ru/Get hashmaliciousUnknownBrowse
                          • 104.18.42.105
                          https://pub-a9679b2711464ea9917a6c5392d93ee5.r2.dev/araxn.htmlGet hashmaliciousHTMLPhisherBrowse
                          • 104.18.2.35
                          https://pub-b81b5bf862c04fa5982daffd9ca70d80.r2.dev/cc23.htmlGet hashmaliciousUnknownBrowse
                          • 104.18.3.35

                          JA3 Fingerprints

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          54328bd36c14bd82ddaa0c04b25ed9adr9yoXOkPES.exeGet hashmaliciousNjratBrowse
                          • 172.67.160.84
                          • 104.21.28.190
                          61BAN1qUS5.exeGet hashmaliciousNjratBrowse
                          • 172.67.160.84
                          • 104.21.28.190
                          file.exeGet hashmaliciousUnknownBrowse
                          • 172.67.160.84
                          • 104.21.28.190
                          Checkeur netflix validator by crips.exeGet hashmaliciousLimeRATBrowse
                          • 172.67.160.84
                          • 104.21.28.190
                          New_Order_(2).jsGet hashmaliciousPXRECVOWEIWOEI Stealer, zgRATBrowse
                          • 172.67.160.84
                          • 104.21.28.190
                          ify.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                          • 172.67.160.84
                          • 104.21.28.190
                          lK3sh4b3ds.exeGet hashmaliciousAgniane StealerBrowse
                          • 172.67.160.84
                          • 104.21.28.190
                          https://docs.google.com/presentation/d/1mPihsFJvaYn8yxmafo1fNbuOr1nDfR-m05559wjl-9k/pubGet hashmaliciousUnknownBrowse
                          • 172.67.160.84
                          • 104.21.28.190
                          lK3sh4b3ds.exeGet hashmaliciousAgniane StealerBrowse
                          • 172.67.160.84
                          • 104.21.28.190
                          7nYkVlcnfx.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 172.67.160.84
                          • 104.21.28.190
                          bcAE21roAv.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 172.67.160.84
                          • 104.21.28.190
                          #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeGet hashmaliciousUnknownBrowse
                          • 172.67.160.84
                          • 104.21.28.190
                          file.exeGet hashmaliciousXFiles StealerBrowse
                          • 172.67.160.84
                          • 104.21.28.190
                          AS9Dqsivqk.exeGet hashmaliciousUnknownBrowse
                          • 172.67.160.84
                          • 104.21.28.190
                          AS9Dqsivqk.exeGet hashmaliciousUnknownBrowse
                          • 172.67.160.84
                          • 104.21.28.190
                          Invoices.scr.exeGet hashmaliciousAveMariaBrowse
                          • 172.67.160.84
                          • 104.21.28.190
                          ZuXcnAYgVp.exeGet hashmaliciousNjratBrowse
                          • 172.67.160.84
                          • 104.21.28.190
                          j6gr7r4Bj2.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                          • 172.67.160.84
                          • 104.21.28.190
                          ERFrKcEtfs.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                          • 172.67.160.84
                          • 104.21.28.190
                          zipsetup_(2).exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                          • 172.67.160.84
                          • 104.21.28.190

                          Dropped Files

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe50000PCSPIC12F1501-ESN.exeGet hashmaliciousAgentTeslaBrowse
                            SecuriteInfo.com.Win32.KeyloggerX-gen.6339.24340.exeGet hashmaliciousXWormBrowse
                              Jdxvyx.exeGet hashmaliciousAgentTeslaBrowse
                                SecuriteInfo.com.Win32.TrojanX-gen.11530.1442.exeGet hashmaliciousAgentTeslaBrowse
                                  shipping_doc_62085317440.exeGet hashmaliciousAgentTeslaBrowse
                                    PRE-ALERT_IOF23-24JPR1298.exeGet hashmaliciousAgentTeslaBrowse
                                      TRANSF.exeGet hashmaliciousGuLoader AgentTeslaBrowse

                                        Created / dropped Files

                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_aspnet_compiler._671408d8f99b945fb318820b118cbaac1562996_00cd84b8_f5ae1b8c-e8f9-4fa2-8207-26e2105f9599\Report.wer

                                        Download File
                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):1.160369187200042
                                        Encrypted:false
                                        SSDEEP:192:s89ZrvNT0BU/Ka6ce36qZzuiF4Z24IO8hn2E:sq1vNABU/KarVqZzuiF4Y4IO8h
                                        MD5:5A720DFFA83D87FC6A91CEC9F94D9D5C
                                        SHA1:40B6BDADDF161C9EFBC62430B14228FF60F5BDFB
                                        SHA-256:6645BE835572EAD5ACC4ED671FEAD94CFCE3BD2E6A4014C5253C5796DC479E10
                                        SHA-512:6B72DBAF42FFE8408D63DFB12B3BD87987BC7B02FF2C467F0C8BC51C8BD68416A55CEECE5360E8AA17A32B3021704E63DC40E32F9172E3D365969AC60EBCE3AB
                                        Malicious:false
                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.4.3.1.1.8.4.8.7.8.5.7.0.7.0.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.4.3.1.1.8.4.8.8.9.1.9.5.6.6.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.5.a.e.1.b.8.c.-.e.8.f.9.-.4.f.a.2.-.8.2.0.7.-.2.6.e.2.1.0.5.f.9.5.9.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.e.9.f.c.f.4.5.-.0.7.9.a.-.4.e.5.2.-.b.5.0.9.-.e.d.a.d.2.0.1.6.e.4.a.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.a.s.p.n.e.t._.c.o.m.p.i.l.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.a.s.p.n.e.t._.c.o.m.p.i.l.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.5.8.-.0.0.0.1.-.0.0.1.4.-.9.a.7.c.-.e.1.a.5.f.4.0.a.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.c.1.b.e.e.9.7.6.6.0.4.c.6.f.e.9.0.9.5.d.c.0.e.8.7.f.3.b.5.2.0.0.0.0.0.0.9.0.4.!.0.0.0.0.1.9.d.f.d.8.6.2.9.4.c.4.a.5.2.5.b.a.2.1.c.6.a.

                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERC146.tmp.dmp

                                        Download File
                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                        File Type:Mini DuMP crash report, 15 streams, Mon Oct 30 05:48:08 2023, 0x1205a4 type
                                        Category:dropped
                                        Size (bytes):301518
                                        Entropy (8bit):3.6005779934754885
                                        Encrypted:false
                                        SSDEEP:3072:wyS0QlZnVyv4kHvI4uEqZHzgHLTg5flDqhI:woQLVyQr4MTgrTg5pqe
                                        MD5:D1688DF6264419EBC9ACCD3E0C8DDB43
                                        SHA1:50CDFB14EF32E73B1B3E4A5254DB322CAD3A325A
                                        SHA-256:AF98375879BF51BF0417741FF41E22ED65A6FD758A26F405EE3D6D476FA338F2
                                        SHA-512:506FFA3F526F753F556FA451256FA05EB3815F39018BCFC4EE92C111375257981ED83A12472CD1F978DE0BB067253C1802BEB519AB16E1655A4340497D625434
                                        Malicious:false
                                        Preview:MDMP..a..... ........C?e....................................<....(.......%...^..........`.......8...........T...........PV..~C...........(...........*..............................................................................eJ......H+......GenuineIntel............T.......X....C?e.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERC3D8.tmp.WERInternalMetadata.xml

                                        Download File
                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):6356
                                        Entropy (8bit):3.7257562765910994
                                        Encrypted:false
                                        SSDEEP:96:RSIU6o7wVetbR06L/YX4xuQE/hhCgaM4UA89bi3sfHWm:R6l7wVeJR06L/YX40HprA89bi3sfHWm
                                        MD5:80C0C4ABE4B0BE32909D159C758989D6
                                        SHA1:C67CECFD25D24C89E60421878613DCC3CD43E16E
                                        SHA-256:D73E6C001B3D640DE725A3B72E26D72B885E87B0A83D22ED38E3EA5901A2A069
                                        SHA-512:72D388C931FCF1A82864DD42AEB16B733CCEA728137FB9CE432D854A4446649423409719E31E57077F016CFC3C79ADDF3497FA3F3499414A7A3678F41F6A11A8
                                        Malicious:false
                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.1.2.<./.P.i.

                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERC417.tmp.xml

                                        Download File
                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):4699
                                        Entropy (8bit):4.483470157979915
                                        Encrypted:false
                                        SSDEEP:48:cvIwWl8zsIJg77aI9BuWpW8VYGvYm8M4JV4imjFD+q8bIib9ru0AyTOkDXUd:uIjfOI7bP7VdyJVaglru0AaOaXUd
                                        MD5:5721EE1516B52B0E86C3D7282FBB6065
                                        SHA1:67F21B16F372164357CE6FABAFDEF64AB7A3AC57
                                        SHA-256:BEA40C589CEAFBAF4830A239C7189FCAC8F1057C5671B50C2FE9D68CA47D9B64
                                        SHA-512:DAC8B01A3743F0C0B9C7AC6DADD478BBF9E611B04865D288B92765116ADAA0D2A3AA3DFB8A7ED6C48A3391E04529A93B3A3855596C6DA16FE261E01C4D7358B3
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="38690" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3vj5tYFb6a.exe.log

                                        Download File
                                        Process:C:\Users\user\Desktop\3vj5tYFb6a.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):737
                                        Entropy (8bit):5.352753964755418
                                        Encrypted:false
                                        SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaWzAbDLI4MNldKZarkvoDLI4MWuCv:ML9E4KlKDE4KhKiKhBsXE4qdKqE4Ks
                                        MD5:0CA106C422E6449195350BCA953D7CC4
                                        SHA1:005E5CFB8FA6DE4708C31A1E2C1170BAA30C4340
                                        SHA-256:10ED25DF3CFDBE98578530971D77702C12F0D15A78135224DE1E2F19DDB9DA87
                                        SHA-512:AB8D82F4CD14D306B492475F9FD7714AE719AB1D09367504A28F92A1C34587700389168FD5F014BBF5B04BE37E1E13860DADD755058D2B63EA898DE388115591
                                        Malicious:false
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.Management.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):64
                                        Entropy (8bit):0.6599547231656377
                                        Encrypted:false
                                        SSDEEP:3:Nlllulllltl:NllU
                                        MD5:EA2381CDF1B16E923A271DFD5EC27FFA
                                        SHA1:6280D95ACCAB2C9100EA14162B8A09926484AFAB
                                        SHA-256:C258989349BD9B905E1088F1B29CC76E240FAC0BADB2B8BE51C1DA38107FFA8E
                                        SHA-512:B091E838EB53F1AF9358F020909D98DA68F5A242911851880AFEA5C8085860DBBB41BFA7A3D09ABF49CE6FCE7A49FDA448A4BDFE1745A9973F649CAEA05D4083
                                        Malicious:false
                                        Preview:@...e...........................................................

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2d0gjoqk.sfu.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2j3gfvi2.ptu.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_30ymwsh2.ost.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3hpsvg4t.zqq.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_asve4awe.s5t.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c4zc4s5g.2ys.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dst3jkid.lw4.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dt4k2am1.omo.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hbzqjbhw.1m1.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jda35eby.0g1.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ledf2yjj.hfz.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wvyqpifo.tiy.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z0bzxzd5.pye.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zmjs33gj.uio.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\3vj5tYFb6a.exe
                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):56368
                                        Entropy (8bit):6.120994357619221
                                        Encrypted:false
                                        SSDEEP:768:fF9E8FLLs2Zokf85d9PTV6Iq8Fnqf7P+WxqWKnz8DH:ffE6EkfOd9PT86dWvKgb
                                        MD5:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                                        SHA1:19DFD86294C4A525BA21C6AF77681B2A9BBECB55
                                        SHA-256:99A2C778C9A6486639D0AFF1A7D2D494C2B0DC4C7913EBCB7BFEA50A2F1D0B09
                                        SHA-512:94F0ACE37CAE77BE9935CF4FC8AAA94691343D3B38DE5E16C663B902C220BFF513CD02256C7AF2D815A23DD30439582DDBB0880009C76BBF36FF8FBC1A6DDC18
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                        Joe Sandbox View:
                                        • Filename: 50000PCSPIC12F1501-ESN.exe, Detection: malicious, Browse
                                        • Filename: SecuriteInfo.com.Win32.KeyloggerX-gen.6339.24340.exe, Detection: malicious, Browse
                                        • Filename: Jdxvyx.exe, Detection: malicious, Browse
                                        • Filename: SecuriteInfo.com.Win32.TrojanX-gen.11530.1442.exe, Detection: malicious, Browse
                                        • Filename: shipping_doc_62085317440.exe, Detection: malicious, Browse
                                        • Filename: PRE-ALERT_IOF23-24JPR1298.exe, Detection: malicious, Browse
                                        • Filename: TRANSF.exe, Detection: malicious, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A>.]..............0................. ........@.. ....................................`.................................t...O.......................0B..........<................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......t3..pc.............X...<........................................0..........s.....Y.....(.....Z.....&..(......+....(....o......r...p(....-..r...p(....,.....X....i2..-;(....(..........%.r!..p.(....(....((...(....(....(....( .....-.(7...(.....*.(....-..*.~S...-.~R....S...s!.....~W...o"....~U...o#....~V...o$....o%...~Y...o&...~S...~Q...~T....s'....P...~P...sE...o(............~W....@_,s.....()...r7..p.$(*........o+..........o,....2....... ....37(....(8.........%...o-....

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chronv.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\3vj5tYFb6a.exe
                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):510464
                                        Entropy (8bit):5.999553408269374
                                        Encrypted:false
                                        SSDEEP:12288:nicNb5chlOMdRL8m6alMG/njrPIRp4tbhknaSJ8XC0x:tqhPRL8m6alMG/njrPIRp496aLXC0
                                        MD5:10243CE788B5DCBBF248058FE196F371
                                        SHA1:0DA95887908B6ADA23C698DE6CF2F3F986655721
                                        SHA-256:8BF51CCB2646D38AF6778A0712C78415E113B1393509AFDC16C97A0BFB91EB55
                                        SHA-512:A990028F8A9B4CCE76C2409F95837436D61DC7038D1365D669FD9143F75580E74E4F9F013934435A1CA9E0C1360BBEBFE276EA4328AB9D7BD26C6C7C63E83160
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 62%
                                        • Antivirus: Virustotal, Detection: 63%, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a................0..............+... ...@....@.. ....................... ............@..................................+..O....@...............................+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc..............................@..B.................+......H........$...............:...............................................0..2.........i..1.r...ps....z(....o.....(....&s....%.o....%o....%.o....o....o....(....r...ps.....r...p.o....(....(....r...p.o....(....(....r...p.o....(....(....r...p.o....(....(....r...p.o....(....(....r*..p.o ...."...(!...(....rN..p.o"....#...(!...(....rt..p.o#....#...(!...(....r...p.o$....#...(!...(....r...p.o%....#...(!...(....r...p.o&....#...(!...(....r...p.o'...(....(....r...p.o(...(....(....r"..p.o

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chronv.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\3vj5tYFb6a.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:false
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Windows\appcompat\Programs\Amcache.hve

                                        Download File
                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                        File Type:MS Windows registry file, NT/2000 or above
                                        Category:dropped
                                        Size (bytes):1835008
                                        Entropy (8bit):4.42215784083635
                                        Encrypted:false
                                        SSDEEP:6144:5Svfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNb0uhiTw:wvloTMW+EZMM6DFyJ03w
                                        MD5:B26DFD2536D15A1C869F90B632F04117
                                        SHA1:02BB2740A787C92EFAEEC302F4F6D8092AE8A7EF
                                        SHA-256:33BB379463CF02FEFB290D7960F80A3BF44B625DC1BAE7C52DBB779A7496C63F
                                        SHA-512:C3B26AF79ACBB5DF2E0DA10D4F11D6F3F786A35EC6E7DB8B7D4A74C94C4C13F921039AF7145210E3570E5237B65C71074DF53AEA0C859C4D4B509C1F18682DA3
                                        Malicious:false
                                        Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.`..................................................................................................................................................................................................................................................................................................................................................D...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        Static File Info

                                        General

                                        File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):5.999553408269374
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        File name:3vj5tYFb6a.exe
                                        File size:510'464 bytes
                                        MD5:10243ce788b5dcbbf248058fe196f371
                                        SHA1:0da95887908b6ada23c698de6cf2f3f986655721
                                        SHA256:8bf51ccb2646d38af6778a0712c78415e113b1393509afdc16c97a0bfb91eb55
                                        SHA512:a990028f8a9b4cce76c2409f95837436d61dc7038d1365d669fd9143f75580e74e4f9f013934435a1ca9e0c1360bbebfe276ea4328ab9d7bd26c6c7c63e83160
                                        SSDEEP:12288:nicNb5chlOMdRL8m6alMG/njrPIRp4tbhknaSJ8XC0x:tqhPRL8m6alMG/njrPIRp496aLXC0
                                        TLSH:8CB42915E3027505D8FCAB728FBFE7F02250ABAF5A614206BD8435FA44E939D25C3AC5
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a................0..............+... ...@....@.. ....................... ............@................................

                                        File Icon

                                        Icon Hash:9a2c56c33b3d3b17

                                        Static PE Info

                                        General

                                        Entrypoint:0x452bfa
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows cui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0xC2FC6181 [Wed Aug 30 11:58:57 2073 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x52ba80x4f.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x540000x2b8ac.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x800000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x52b8c0x1c.text
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000x50c000x50c00False0.6503996952399381data6.830640750171603IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rsrc0x540000x2b8ac0x2ba00False0.18921248209169053data3.7443496131971172IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x800000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0x542000x35baPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9911298531336339
                                        RT_ICON0x577cc0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.07398260972435822
                                        RT_ICON0x680040x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.11488332982972461
                                        RT_ICON0x714bc0x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.13313308687615527
                                        RT_ICON0x769540x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.14684695323571093
                                        RT_ICON0x7ab8c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.21286307053941908
                                        RT_ICON0x7d1440x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.2840056285178236
                                        RT_ICON0x7e1fc0x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.3704918032786885
                                        RT_ICON0x7eb940x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.46099290780141844
                                        RT_GROUP_ICON0x7f00c0x84data0.7272727272727273
                                        RT_VERSION0x7f0a00x406data0.41067961165048544
                                        RT_MANIFEST0x7f4b80x3edXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.4218905472636816

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Oct 30, 2023 06:48:05.625711918 CET4972080192.168.2.5193.122.6.168
                                        Oct 30, 2023 06:48:05.808574915 CET8049720193.122.6.168192.168.2.5
                                        Oct 30, 2023 06:48:05.808820009 CET4972080192.168.2.5193.122.6.168
                                        Oct 30, 2023 06:48:06.354547024 CET4972080192.168.2.5193.122.6.168
                                        Oct 30, 2023 06:48:06.537195921 CET8049720193.122.6.168192.168.2.5
                                        Oct 30, 2023 06:48:06.538450956 CET8049720193.122.6.168192.168.2.5
                                        Oct 30, 2023 06:48:06.583539963 CET4972080192.168.2.5193.122.6.168
                                        Oct 30, 2023 06:48:06.767543077 CET8049720193.122.6.168192.168.2.5
                                        Oct 30, 2023 06:48:06.811830997 CET4972080192.168.2.5193.122.6.168
                                        Oct 30, 2023 06:48:06.965630054 CET49721443192.168.2.5172.67.160.84
                                        Oct 30, 2023 06:48:06.965692997 CET44349721172.67.160.84192.168.2.5
                                        Oct 30, 2023 06:48:06.965755939 CET49721443192.168.2.5172.67.160.84
                                        Oct 30, 2023 06:48:06.974478006 CET49721443192.168.2.5172.67.160.84
                                        Oct 30, 2023 06:48:06.974497080 CET44349721172.67.160.84192.168.2.5
                                        Oct 30, 2023 06:48:07.181688070 CET44349721172.67.160.84192.168.2.5
                                        Oct 30, 2023 06:48:07.181874990 CET49721443192.168.2.5172.67.160.84
                                        Oct 30, 2023 06:48:07.183561087 CET49721443192.168.2.5172.67.160.84
                                        Oct 30, 2023 06:48:07.183592081 CET44349721172.67.160.84192.168.2.5
                                        Oct 30, 2023 06:48:07.184062004 CET44349721172.67.160.84192.168.2.5
                                        Oct 30, 2023 06:48:07.233652115 CET49721443192.168.2.5172.67.160.84
                                        Oct 30, 2023 06:48:07.279541016 CET49721443192.168.2.5172.67.160.84
                                        Oct 30, 2023 06:48:07.322475910 CET44349721172.67.160.84192.168.2.5
                                        Oct 30, 2023 06:48:07.404130936 CET44349721172.67.160.84192.168.2.5
                                        Oct 30, 2023 06:48:07.404356956 CET44349721172.67.160.84192.168.2.5
                                        Oct 30, 2023 06:48:07.404433966 CET49721443192.168.2.5172.67.160.84
                                        Oct 30, 2023 06:48:07.411473989 CET49721443192.168.2.5172.67.160.84
                                        Oct 30, 2023 06:48:07.511800051 CET49722443192.168.2.5104.21.28.190
                                        Oct 30, 2023 06:48:07.511842012 CET44349722104.21.28.190192.168.2.5
                                        Oct 30, 2023 06:48:07.511941910 CET49722443192.168.2.5104.21.28.190
                                        Oct 30, 2023 06:48:07.512571096 CET49722443192.168.2.5104.21.28.190
                                        Oct 30, 2023 06:48:07.512588978 CET44349722104.21.28.190192.168.2.5
                                        Oct 30, 2023 06:48:07.720133066 CET44349722104.21.28.190192.168.2.5
                                        Oct 30, 2023 06:48:07.720432043 CET49722443192.168.2.5104.21.28.190
                                        Oct 30, 2023 06:48:07.722968102 CET49722443192.168.2.5104.21.28.190
                                        Oct 30, 2023 06:48:07.722979069 CET44349722104.21.28.190192.168.2.5
                                        Oct 30, 2023 06:48:07.723436117 CET44349722104.21.28.190192.168.2.5
                                        Oct 30, 2023 06:48:07.725589037 CET49722443192.168.2.5104.21.28.190
                                        Oct 30, 2023 06:48:07.766482115 CET44349722104.21.28.190192.168.2.5
                                        Oct 30, 2023 06:48:07.974850893 CET44349722104.21.28.190192.168.2.5
                                        Oct 30, 2023 06:48:07.974929094 CET44349722104.21.28.190192.168.2.5
                                        Oct 30, 2023 06:48:07.974967957 CET44349722104.21.28.190192.168.2.5
                                        Oct 30, 2023 06:48:07.975070953 CET44349722104.21.28.190192.168.2.5
                                        Oct 30, 2023 06:48:07.975121975 CET49722443192.168.2.5104.21.28.190
                                        Oct 30, 2023 06:48:07.975121975 CET49722443192.168.2.5104.21.28.190
                                        Oct 30, 2023 06:48:07.980674982 CET49722443192.168.2.5104.21.28.190
                                        Oct 30, 2023 06:48:12.072031975 CET4972080192.168.2.5193.122.6.168

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Oct 30, 2023 06:47:03.807622910 CET5464953192.168.2.51.1.1.1
                                        Oct 30, 2023 06:47:03.901319027 CET53546491.1.1.1192.168.2.5
                                        Oct 30, 2023 06:48:04.864658117 CET5204053192.168.2.51.1.1.1
                                        Oct 30, 2023 06:48:04.958959103 CET53520401.1.1.1192.168.2.5
                                        Oct 30, 2023 06:48:06.828947067 CET5317953192.168.2.51.1.1.1
                                        Oct 30, 2023 06:48:06.964550018 CET53531791.1.1.1192.168.2.5
                                        Oct 30, 2023 06:48:07.414632082 CET5615553192.168.2.51.1.1.1
                                        Oct 30, 2023 06:48:07.510363102 CET53561551.1.1.1192.168.2.5

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Oct 30, 2023 06:47:03.807622910 CET192.168.2.51.1.1.10x3fd5Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                        Oct 30, 2023 06:48:04.864658117 CET192.168.2.51.1.1.10xa02cStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                        Oct 30, 2023 06:48:06.828947067 CET192.168.2.51.1.1.10xd8d3Standard query (0)freegeoip.appA (IP address)IN (0x0001)false
                                        Oct 30, 2023 06:48:07.414632082 CET192.168.2.51.1.1.10x6004Standard query (0)ipbase.comA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Oct 30, 2023 06:47:03.901319027 CET1.1.1.1192.168.2.50x3fd5No error (0)www.google.com142.250.31.105A (IP address)IN (0x0001)false
                                        Oct 30, 2023 06:47:03.901319027 CET1.1.1.1192.168.2.50x3fd5No error (0)www.google.com142.250.31.103A (IP address)IN (0x0001)false
                                        Oct 30, 2023 06:47:03.901319027 CET1.1.1.1192.168.2.50x3fd5No error (0)www.google.com142.250.31.147A (IP address)IN (0x0001)false
                                        Oct 30, 2023 06:47:03.901319027 CET1.1.1.1192.168.2.50x3fd5No error (0)www.google.com142.250.31.99A (IP address)IN (0x0001)false
                                        Oct 30, 2023 06:47:03.901319027 CET1.1.1.1192.168.2.50x3fd5No error (0)www.google.com142.250.31.104A (IP address)IN (0x0001)false
                                        Oct 30, 2023 06:47:03.901319027 CET1.1.1.1192.168.2.50x3fd5No error (0)www.google.com142.250.31.106A (IP address)IN (0x0001)false
                                        Oct 30, 2023 06:48:04.958959103 CET1.1.1.1192.168.2.50xa02cNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                        Oct 30, 2023 06:48:04.958959103 CET1.1.1.1192.168.2.50xa02cNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                        Oct 30, 2023 06:48:04.958959103 CET1.1.1.1192.168.2.50xa02cNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                        Oct 30, 2023 06:48:04.958959103 CET1.1.1.1192.168.2.50xa02cNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                        Oct 30, 2023 06:48:04.958959103 CET1.1.1.1192.168.2.50xa02cNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                        Oct 30, 2023 06:48:04.958959103 CET1.1.1.1192.168.2.50xa02cNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                        Oct 30, 2023 06:48:06.964550018 CET1.1.1.1192.168.2.50xd8d3No error (0)freegeoip.app172.67.160.84A (IP address)IN (0x0001)false
                                        Oct 30, 2023 06:48:06.964550018 CET1.1.1.1192.168.2.50xd8d3No error (0)freegeoip.app104.21.73.97A (IP address)IN (0x0001)false
                                        Oct 30, 2023 06:48:07.510363102 CET1.1.1.1192.168.2.50x6004No error (0)ipbase.com104.21.28.190A (IP address)IN (0x0001)false
                                        Oct 30, 2023 06:48:07.510363102 CET1.1.1.1192.168.2.50x6004No error (0)ipbase.com172.67.147.81A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • freegeoip.app
                                        • ipbase.com
                                        • checkip.dyndns.org

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        0192.168.2.549721172.67.160.84443C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe
                                        TimestampkBytes transferredDirectionData


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        1192.168.2.549722104.21.28.190443C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe
                                        TimestampkBytes transferredDirectionData


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        2192.168.2.549720193.122.6.16880C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe
                                        TimestampkBytes transferredDirectionData
                                        Oct 30, 2023 06:48:06.354547024 CET80OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                        Host: checkip.dyndns.org
                                        Connection: Keep-Alive
                                        Oct 30, 2023 06:48:06.538450956 CET80INHTTP/1.1 200 OK
                                        Date: Mon, 30 Oct 2023 05:48:06 GMT
                                        Content-Type: text/html
                                        Content-Length: 104
                                        Connection: keep-alive
                                        Cache-Control: no-cache
                                        Pragma: no-cache
                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 34 2e 31 36 2e 34 39 2e 38 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 154.16.49.82</body></html>
                                        Oct 30, 2023 06:48:06.583539963 CET80OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                        Host: checkip.dyndns.org
                                        Oct 30, 2023 06:48:06.767543077 CET81INHTTP/1.1 200 OK
                                        Date: Mon, 30 Oct 2023 05:48:06 GMT
                                        Content-Type: text/html
                                        Content-Length: 104
                                        Connection: keep-alive
                                        Cache-Control: no-cache
                                        Pragma: no-cache
                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 34 2e 31 36 2e 34 39 2e 38 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 154.16.49.82</body></html>


                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        0192.168.2.549721172.67.160.84443C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe
                                        TimestampkBytes transferredDirectionData
                                        2023-10-30 05:48:07 UTC0OUTGET /xml/154.16.49.82 HTTP/1.1
                                        Host: freegeoip.app
                                        Connection: Keep-Alive
                                        2023-10-30 05:48:07 UTC0INHTTP/1.1 301 Moved Permanently
                                        Date: Mon, 30 Oct 2023 05:48:07 GMT
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Cache-Control: max-age=3600
                                        Expires: Mon, 30 Oct 2023 06:48:07 GMT
                                        Location: https://ipbase.com/xml/154.16.49.82
                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=BvG35qdb0diwGSGAvS0M9W0Jd9fZ0gSiiQCnCyYrfm3llWcl%2BpkkjdZajKdDIO7Wb8XrpHZRhAT%2FsuOVqyQ0qbgfLKlaX7YTrxz2V2uufdzvH3F7WQz5mJLYPXKdOBOj"}],"group":"cf-nel","max_age":604800}
                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                        Server: cloudflare
                                        CF-RAY: 81e15e11d9a2573a-IAD
                                        alt-svc: h3=":443"; ma=86400
                                        2023-10-30 05:48:07 UTC0INData Raw: 30 0d 0a 0d 0a
                                        Data Ascii: 0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        1192.168.2.549722104.21.28.190443C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe
                                        TimestampkBytes transferredDirectionData
                                        2023-10-30 05:48:07 UTC0OUTGET /xml/154.16.49.82 HTTP/1.1
                                        Host: ipbase.com
                                        Connection: Keep-Alive
                                        2023-10-30 05:48:07 UTC0INHTTP/1.1 404 Not Found
                                        Date: Mon, 30 Oct 2023 05:48:07 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Age: 0
                                        Cache-Control: public,max-age=0,must-revalidate
                                        Vary: Accept-Encoding
                                        X-Nf-Request-Id: 01HDZJ02AFES9CKAYD8VYCNN2C
                                        CF-Cache-Status: DYNAMIC
                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=GMVxCTCuT03JBSoMF4Po387hkk3lt4sAHoK8j25jn%2FBrf882gb2cR1qx%2Bg7CoOS0XXFu%2FU7GA%2BZ2tm1pY0rUR8EFU0S6QOtaKfXcB6KS20eZqZ3GlaKhit%2FB2m2e"}],"group":"cf-nel","max_age":604800}
                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                        Server: cloudflare
                                        CF-RAY: 81e15e153ea91fd4-IAD
                                        alt-svc: h3=":443"; ma=86400
                                        2023-10-30 05:48:07 UTC1INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                        Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                        2023-10-30 05:48:07 UTC2INData Raw: 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 76 68 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 76 77 3b 0a 20 20 20 20 7d 0a 0a 20 20
                                        Data Ascii: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; height: 100vh; width: 100vw; }
                                        2023-10-30 05:48:07 UTC3INData Raw: 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e 34 33 32 39 34 39 33 36 20 4c 39 2e 38 34 31 39 39 35 33 31 2c 32 20 4c 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33
                                        Data Ascii: 36,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.43294936 L9.84199531,2 L11.9998836,4.093
                                        2023-10-30 05:48:07 UTC4INData Raw: 30 0d 0a 0d 0a
                                        Data Ascii: 0


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:06:47:00
                                        Start date:30/10/2023
                                        Path:C:\Users\user\Desktop\3vj5tYFb6a.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\3vj5tYFb6a.exe
                                        Imagebase:0x750000
                                        File size:510'464 bytes
                                        MD5 hash:10243CE788B5DCBBF248058FE196F371
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: 00000000.00000002.2691462788.0000000005090000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2690950066.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2690950066.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2690950066.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2690950066.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2690950066.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2690950066.0000000003CB6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2690950066.0000000003CB6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2690950066.0000000003CB6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2690950066.0000000003CB6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2690950066.0000000003CB6000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2690458714.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2690458714.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2690458714.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2690458714.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2690458714.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:1
                                        Start time:06:47:00
                                        Start date:30/10/2023
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:06:47:01
                                        Start date:30/10/2023
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /release
                                        Imagebase:0xc40000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:06:47:01
                                        Start date:30/10/2023
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:5
                                        Start time:06:47:01
                                        Start date:30/10/2023
                                        Path:C:\Windows\SysWOW64\ipconfig.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\system32\ipconfig.exe" /release
                                        Imagebase:0x9b0000
                                        File size:29'184 bytes
                                        MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:06:47:01
                                        Start date:30/10/2023
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
                                        Imagebase:0xc40000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:06:47:01
                                        Start date:30/10/2023
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:8
                                        Start time:06:47:06
                                        Start date:30/10/2023
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
                                        Imagebase:0xc40000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:9
                                        Start time:06:47:06
                                        Start date:30/10/2023
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:10
                                        Start time:06:47:11
                                        Start date:30/10/2023
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
                                        Imagebase:0xc40000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:11
                                        Start time:06:47:11
                                        Start date:30/10/2023
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:12
                                        Start time:06:47:17
                                        Start date:30/10/2023
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
                                        Imagebase:0xc40000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:13
                                        Start time:06:47:17
                                        Start date:30/10/2023
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:16
                                        Start time:06:47:22
                                        Start date:30/10/2023
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
                                        Imagebase:0xc40000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Has exited:true

                                        General

                                        Target ID:17
                                        Start time:06:47:22
                                        Start date:30/10/2023
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:18
                                        Start time:06:47:26
                                        Start date:30/10/2023
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /renew
                                        Imagebase:0xc40000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Has exited:true

                                        General

                                        Target ID:19
                                        Start time:06:47:26
                                        Start date:30/10/2023
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:20
                                        Start time:06:47:27
                                        Start date:30/10/2023
                                        Path:C:\Windows\SysWOW64\ipconfig.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\system32\ipconfig.exe" /renew
                                        Imagebase:0x9b0000
                                        File size:29'184 bytes
                                        MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:22
                                        Start time:06:48:03
                                        Start date:30/10/2023
                                        Path:C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe
                                        Imagebase:0xe50000
                                        File size:56'368 bytes
                                        MD5 hash:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000002.2743161051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000016.00000002.2743161051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000016.00000002.2743161051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000016.00000002.2743161051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                        • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000016.00000002.2743161051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000016.00000002.2745588787.0000000003021000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Antivirus matches:
                                        • Detection: 0%, ReversingLabs
                                        • Detection: 0%, Virustotal, Browse
                                        Has exited:true

                                        General

                                        Target ID:25
                                        Start time:06:48:07
                                        Start date:30/10/2023
                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7512 -s 2204
                                        Imagebase:0x8d0000
                                        File size:483'680 bytes
                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:9.7%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:82
                                          Total number of Limit Nodes:2
                                          execution_graph 10114 113f750 10116 113f759 10114->10116 10115 113f75d 10116->10115 10117 113f805 Wow64SetThreadContext 10116->10117 10118 113f82d 10117->10118 10134 113f9c0 10135 113fa08 WriteProcessMemory 10134->10135 10137 113fa5f 10135->10137 10161 113fbb0 10162 113fc39 10161->10162 10162->10162 10163 113fd9e CreateProcessA 10162->10163 10164 113fdfb 10163->10164 10138 1070990 10139 10709aa 10138->10139 10142 10709c0 10138->10142 10146 10709bc 10138->10146 10143 1070a15 K32GetModuleBaseNameA 10142->10143 10145 1070ad3 10143->10145 10148 10709bf 10146->10148 10147 1070a92 K32GetModuleBaseNameA 10149 1070ad3 10147->10149 10148->10147 10148->10148 10181 1070330 10185 1070360 10181->10185 10189 1070358 10181->10189 10182 1070347 10186 10703ab K32EnumProcesses 10185->10186 10188 10703f2 10186->10188 10188->10182 10190 107035f K32EnumProcesses 10189->10190 10192 10703f2 10190->10192 10192->10182 10193 1070cb0 10194 1070cc7 10193->10194 10196 113f8e0 10193->10196 10197 113f920 VirtualAllocEx 10196->10197 10199 113f95d 10197->10199 10199->10194 10165 5aea607 10166 5aea7c4 10165->10166 10170 5aeaba0 10166->10170 10174 5aeabb0 10166->10174 10167 5aea4c6 10171 5aeabb0 10170->10171 10177 5aeb010 10171->10177 10176 5aeb010 CopyFileW 10174->10176 10175 5aeabc9 10175->10167 10176->10175 10178 5aeb05b CopyFileW 10177->10178 10180 5aeabc9 10178->10180 10180->10167 10119 1131c58 10120 1131c6c 10119->10120 10122 1133c6d 10119->10122 10123 1133c75 10122->10123 10126 113a320 10123->10126 10128 113a333 10126->10128 10130 113a3d8 10128->10130 10131 113a420 VirtualProtect 10130->10131 10133 1133c91 10131->10133 10200 113a5a8 10201 113a5e8 ResumeThread 10200->10201 10203 113a619 10201->10203 10150 1070858 10151 1070872 10150->10151 10154 1070880 10150->10154 10158 1070888 10150->10158 10155 1070888 K32EnumProcessModules 10154->10155 10157 107090a 10155->10157 10157->10151 10159 10708d0 K32EnumProcessModules 10158->10159 10160 107090a 10159->10160 10160->10151 10204 1070e78 10208 1070eb0 10204->10208 10212 1070e9f 10204->10212 10205 1070e98 10209 1070ee4 10208->10209 10210 1070f30 10209->10210 10216 1070fc8 10209->10216 10210->10205 10213 1070ee4 10212->10213 10214 1070f30 10213->10214 10215 1070fc8 2 API calls 10213->10215 10214->10205 10215->10214 10220 1071000 10216->10220 10224 1071008 10216->10224 10217 1070fef 10217->10210 10221 1071008 EnumChildWindows 10220->10221 10223 107108f 10221->10223 10223->10217 10225 107104c EnumChildWindows 10224->10225 10227 107108f 10225->10227 10227->10217

                                          Executed Functions

                                          Function 01130848 Relevance: 1.7, Strings: 1, Instructions: 417COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 209 1130848-113086b 210 1130871-11308b4 call 1130480 call 1130450 call 1130df0 call 11310b0 call 1130df0 209->210 211 1130d14-1130dae 209->211 319 11308b6 call 1131169 210->319 320 11308b6 call 11310e8 210->320 224 1130db4-1130dbf 211->224 226 1130dc1-1130dc7 224->226 227 1130dc8-1130de9 224->227 226->227 230 11308bc-1130c90 304 1130c92 230->304 305 1130c98-1130c9a 230->305 306 1130c94-1130c96 304->306 307 1130c9c 304->307 308 1130ca1-1130d13 305->308 306->305 306->307 307->308 319->230 320->230
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2690125520.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1130000_3vj5tYFb6a.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: D@
                                          • API String ID: 0-2222373746
                                          • Opcode ID: fd83748dfd59b1361becbd830d8100fef1a6809610857a6be9e010c9cefd3e99
                                          • Instruction ID: 94baa0f61310a88ee04964fd83b0820a1f7f457201c999db80cd0ef4a4c54d63
                                          • Opcode Fuzzy Hash: fd83748dfd59b1361becbd830d8100fef1a6809610857a6be9e010c9cefd3e99
                                          • Instruction Fuzzy Hash: 2CF19431B003558FCF48FBB4C85466E77E2AFC9700B15C969E40AAB265EF35AD55CB80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01130839 Relevance: .4, Instructions: 351COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2690125520.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1130000_3vj5tYFb6a.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 512ad11addc5702fc692137b53b50ad8dccdb3dd23629bc6f497c83e8e66da4d
                                          • Instruction ID: da74e7530c8657eecb902f1758203e0d8333d63b4229b62892b6a3e71b99f940
                                          • Opcode Fuzzy Hash: 512ad11addc5702fc692137b53b50ad8dccdb3dd23629bc6f497c83e8e66da4d
                                          • Instruction Fuzzy Hash: D4D19231B103559FCF48BBB4885866E77A2AFC8700715C968E40AAF265EF35ED56CB80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0113FBB0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 150 113fbb0-113fc45 152 113fc47-113fc51 150->152 153 113fc7e-113fc9e 150->153 152->153 154 113fc53-113fc55 152->154 158 113fca0-113fcaa 153->158 159 113fcd7-113fd06 153->159 156 113fc57-113fc61 154->156 157 113fc78-113fc7b 154->157 160 113fc63 156->160 161 113fc65-113fc74 156->161 157->153 158->159 162 113fcac-113fcae 158->162 169 113fd08-113fd12 159->169 170 113fd3f-113fdf9 CreateProcessA 159->170 160->161 161->161 163 113fc76 161->163 164 113fcd1-113fcd4 162->164 165 113fcb0-113fcba 162->165 163->157 164->159 167 113fcbe-113fccd 165->167 168 113fcbc 165->168 167->167 171 113fccf 167->171 168->167 169->170 172 113fd14-113fd16 169->172 181 113fe02-113fe88 170->181 182 113fdfb-113fe01 170->182 171->164 174 113fd39-113fd3c 172->174 175 113fd18-113fd22 172->175 174->170 176 113fd26-113fd35 175->176 177 113fd24 175->177 176->176 178 113fd37 176->178 177->176 178->174 192 113fe8a-113fe8e 181->192 193 113fe98-113fe9c 181->193 182->181 192->193 196 113fe90-113fe93 call 11303ec 192->196 194 113fe9e-113fea2 193->194 195 113feac-113feb0 193->195 194->195 198 113fea4-113fea7 call 11303ec 194->198 199 113feb2-113feb6 195->199 200 113fec0-113fec4 195->200 196->193 198->195 199->200 202 113feb8-113febb call 11303ec 199->202 203 113fed6-113fedd 200->203 204 113fec6-113fecc 200->204 202->200 206 113fef4 203->206 207 113fedf-113feee 203->207 204->203 207->206
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0113FDE6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2690125520.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1130000_3vj5tYFb6a.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 2f4b8fcdb8f241db58ae5282319d58c5bdce3f063584bb5a60b2bd09cfd24ac3
                                          • Instruction ID: fe449ccc3a35b56bf25af84153fd6d15cad83604b879429ea6a69a9dec686653
                                          • Opcode Fuzzy Hash: 2f4b8fcdb8f241db58ae5282319d58c5bdce3f063584bb5a60b2bd09cfd24ac3
                                          • Instruction Fuzzy Hash: EF917171D0021ACFEF15CF68C941BDDBBB2BF88710F148569E818A7294DB749986CF92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 010709BC Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 321 10709bc-1070a23 324 1070a25-1070a4a 321->324 325 1070a92-1070ad1 K32GetModuleBaseNameA 321->325 331 1070a4c-1070a4e 324->331 332 1070a7a-1070a7f 324->332 326 1070ad3-1070ad9 325->326 327 1070ada-1070ae8 325->327 326->327 329 1070afe-1070b25 327->329 330 1070aea-1070af6 327->330 338 1070b27-1070b2b 329->338 339 1070b35 329->339 330->329 336 1070a70-1070a78 331->336 337 1070a50-1070a5a 331->337 343 1070a81-1070a8d 332->343 336->343 340 1070a5e-1070a6c 337->340 341 1070a5c 337->341 338->339 342 1070b2d 338->342 346 1070b36 339->346 340->340 345 1070a6e 340->345 341->340 342->339 343->325 345->336 346->346
                                          APIs
                                          • K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 01070AC1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2689937387.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1070000_3vj5tYFb6a.jbxd
                                          Similarity
                                          • API ID: BaseModuleName
                                          • String ID:
                                          • API String ID: 595626670-0
                                          • Opcode ID: 70b21fb43e4b7a2f1e184b4af33aa2730e6fef77d9b844bf2425299099a1f4be
                                          • Instruction ID: 62fc355a8972ce7959681c6ddeb145a6e43514a653e46283270bb6b3b13b9e54
                                          • Opcode Fuzzy Hash: 70b21fb43e4b7a2f1e184b4af33aa2730e6fef77d9b844bf2425299099a1f4be
                                          • Instruction Fuzzy Hash: A9415670D00348DFDB18DFA9C894BAEBBF1BF49314F148269E859AB255D774A840CF94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 010709C0 Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 347 10709c0-1070a23 349 1070a25-1070a4a 347->349 350 1070a92-1070ad1 K32GetModuleBaseNameA 347->350 356 1070a4c-1070a4e 349->356 357 1070a7a-1070a7f 349->357 351 1070ad3-1070ad9 350->351 352 1070ada-1070ae8 350->352 351->352 354 1070afe-1070b25 352->354 355 1070aea-1070af6 352->355 363 1070b27-1070b2b 354->363 364 1070b35 354->364 355->354 361 1070a70-1070a78 356->361 362 1070a50-1070a5a 356->362 368 1070a81-1070a8d 357->368 361->368 365 1070a5e-1070a6c 362->365 366 1070a5c 362->366 363->364 367 1070b2d 363->367 371 1070b36 364->371 365->365 370 1070a6e 365->370 366->365 367->364 368->350 370->361 371->371
                                          APIs
                                          • K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 01070AC1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2689937387.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1070000_3vj5tYFb6a.jbxd
                                          Similarity
                                          • API ID: BaseModuleName
                                          • String ID:
                                          • API String ID: 595626670-0
                                          • Opcode ID: c23cc217d4036ad0d0cfe2fd5f1415a942c05245749fed9c63606f40f1fd9da1
                                          • Instruction ID: 9351f6fd97ed73d527b67c3caa927be47afba648a372c70e856946abe2987f6b
                                          • Opcode Fuzzy Hash: c23cc217d4036ad0d0cfe2fd5f1415a942c05245749fed9c63606f40f1fd9da1
                                          • Instruction Fuzzy Hash: 8E417470D002089FDB18DFA9C884B9EBBF1BF49314F148269E859AB358C774A880CF94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0113F750 Relevance: 1.6, APIs: 1, Instructions: 93threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 372 113f750-113f75b 374 113f761-113f798 372->374 375 113f75d 372->375 376 113f75e-113f760 374->376 381 113f79a-113f7eb 374->381 375->376 384 113f7fb-113f82b Wow64SetThreadContext 381->384 385 113f7ed-113f7f9 381->385 387 113f834-113f864 384->387 388 113f82d-113f833 384->388 385->384 388->387
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000001), ref: 0113F81E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2690125520.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1130000_3vj5tYFb6a.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: d6e7ef53084dbec1360490ce38d5c77bc09b9265286c2c581d7f520a2fb3b8a8
                                          • Instruction ID: e8bf04b5d81a29c80b1ca5d07fe9811b7d76e36e1eb8c554f1a95c5e68ecf9ea
                                          • Opcode Fuzzy Hash: d6e7ef53084dbec1360490ce38d5c77bc09b9265286c2c581d7f520a2fb3b8a8
                                          • Instruction Fuzzy Hash: C831CC70D043499FCB14DFA9C841BAEBFF4EF89310F10806AD409EB251DB389946CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05AEB010 Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 392 5aeb010-5aeb062 394 5aeb06d-5aeb071 392->394 395 5aeb064-5aeb06a 392->395 396 5aeb079-5aeb0b6 CopyFileW 394->396 397 5aeb073-5aeb076 394->397 395->394 398 5aeb0bf-5aeb0e0 396->398 399 5aeb0b8-5aeb0be 396->399 397->396 399->398
                                          APIs
                                          • CopyFileW.KERNELBASE(?,00000000,?), ref: 05AEB0A9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2692306373.0000000005AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5ae0000_3vj5tYFb6a.jbxd
                                          Similarity
                                          • API ID: CopyFile
                                          • String ID:
                                          • API String ID: 1304948518-0
                                          • Opcode ID: 8c58b2c1512b7dea5ff49e3fe47b41ea4ed382f18e91677d59afe98f352a4635
                                          • Instruction ID: 592d0fd49fc8b9bb3b51eae24680812ed1dde351629c0e7798b7d5e4bbd359c3
                                          • Opcode Fuzzy Hash: 8c58b2c1512b7dea5ff49e3fe47b41ea4ed382f18e91677d59afe98f352a4635
                                          • Instruction Fuzzy Hash: 0F2128B1C012199FCB10CF9AD584BEEFBF5FF48310F14816AE818A7245D739AA44CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0113F9C0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 401 113f9c0-113fa0e 403 113fa10-113fa1c 401->403 404 113fa1e-113fa5d WriteProcessMemory 401->404 403->404 406 113fa66-113fa96 404->406 407 113fa5f-113fa65 404->407 407->406
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0113FA50
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2690125520.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1130000_3vj5tYFb6a.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: a8d0101dbfe29fea7cdb4d521b0738e25b8dff3793ad0fe86c9dd8f27caaedf7
                                          • Instruction ID: bb2ca8eb5305bc2bd235b830a44705fc059ed59ee4d9cf5552529c304e0c4a09
                                          • Opcode Fuzzy Hash: a8d0101dbfe29fea7cdb4d521b0738e25b8dff3793ad0fe86c9dd8f27caaedf7
                                          • Instruction Fuzzy Hash: 2B2148B1D003099FDB10CFA9C885BEEBBF5FF48310F108429E518A7240C778A545CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01071000 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 419 1071000-1071052 422 1071054-107105c 419->422 423 107105e-107108d EnumChildWindows 419->423 422->423 424 1071096-10710c3 423->424 425 107108f-1071095 423->425 425->424
                                          APIs
                                          • EnumChildWindows.USER32(?,00000000,?), ref: 01071080
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2689937387.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1070000_3vj5tYFb6a.jbxd
                                          Similarity
                                          • API ID: ChildEnumWindows
                                          • String ID:
                                          • API String ID: 3555792229-0
                                          • Opcode ID: 2e40f9420456b388fb44a1de612033024bcdb2dff5caf36ddfef714276f8925b
                                          • Instruction ID: ac29f138b6f85c2a9b911d5c7f7d10dc0bd015e49dc1a75655046ebc7bad9148
                                          • Opcode Fuzzy Hash: 2e40f9420456b388fb44a1de612033024bcdb2dff5caf36ddfef714276f8925b
                                          • Instruction Fuzzy Hash: BB2139B1D002498FDB14CFAAC944BEEFBF5EF48310F14846AE458A7290C779A944CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01070358 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 411 1070358-10703af 414 10703b1-10703b9 411->414 415 10703bb-10703f0 K32EnumProcesses 411->415 414->415 416 10703f2-10703f8 415->416 417 10703f9-107041a 415->417 416->417
                                          APIs
                                          • K32EnumProcesses.KERNEL32(00000000,?,?), ref: 010703E3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2689937387.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1070000_3vj5tYFb6a.jbxd
                                          Similarity
                                          • API ID: EnumProcesses
                                          • String ID:
                                          • API String ID: 84517404-0
                                          • Opcode ID: a3e490c820426677f5982add2425e45181e1595df212f6e218165e26abfa85e4
                                          • Instruction ID: bac63b26870b3779e33ecbb2fdb5fa53dd88933d38de579ed337e62e47baa0ed
                                          • Opcode Fuzzy Hash: a3e490c820426677f5982add2425e45181e1595df212f6e218165e26abfa85e4
                                          • Instruction Fuzzy Hash: D221E2B1D012199FDB00CF99D985BEEFBF8FB49310F10826AE508A7241D778A944CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01070360 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 429 1070360-10703af 431 10703b1-10703b9 429->431 432 10703bb-10703f0 K32EnumProcesses 429->432 431->432 433 10703f2-10703f8 432->433 434 10703f9-107041a 432->434 433->434
                                          APIs
                                          • K32EnumProcesses.KERNEL32(00000000,?,?), ref: 010703E3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2689937387.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1070000_3vj5tYFb6a.jbxd
                                          Similarity
                                          • API ID: EnumProcesses
                                          • String ID:
                                          • API String ID: 84517404-0
                                          • Opcode ID: 9ca1b3d87555440ceafa277f53e292c0f7ea3dd84b15ce50a96c5d5dcaf67ca5
                                          • Instruction ID: caed70365c1b69914341492ebcce347d6029c1def92d9f793c9fa794a6078614
                                          • Opcode Fuzzy Hash: 9ca1b3d87555440ceafa277f53e292c0f7ea3dd84b15ce50a96c5d5dcaf67ca5
                                          • Instruction Fuzzy Hash: 482104B1D012199FDB00CF9AD885BDEFBF8FB49310F10826AE508A3340D778A944CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01070880 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 436 1070880-1070908 K32EnumProcessModules 439 1070911-1070939 436->439 440 107090a-1070910 436->440 440->439
                                          APIs
                                          • K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 010708FB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2689937387.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1070000_3vj5tYFb6a.jbxd
                                          Similarity
                                          • API ID: EnumModulesProcess
                                          • String ID:
                                          • API String ID: 1082081703-0
                                          • Opcode ID: b4cd2d1f839d3e0fd7d7c96acb34e0ea25aa4164efaf788a1702eab28cfe9a01
                                          • Instruction ID: 0d910ba01acab4361bdd4a417b1006b5ee09971c79060e2310a1dafa67d33056
                                          • Opcode Fuzzy Hash: b4cd2d1f839d3e0fd7d7c96acb34e0ea25aa4164efaf788a1702eab28cfe9a01
                                          • Instruction Fuzzy Hash: DD2115B2D002499FCB10DF9AC484BDEBBF5EF49310F10846AE958A7251D778A645CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01071008 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 443 1071008-1071052 445 1071054-107105c 443->445 446 107105e-107108d EnumChildWindows 443->446 445->446 447 1071096-10710c3 446->447 448 107108f-1071095 446->448 448->447
                                          APIs
                                          • EnumChildWindows.USER32(?,00000000,?), ref: 01071080
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2689937387.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1070000_3vj5tYFb6a.jbxd
                                          Similarity
                                          • API ID: ChildEnumWindows
                                          • String ID:
                                          • API String ID: 3555792229-0
                                          • Opcode ID: 4d938b0f46cbfac303987e74a6056f3121cd9dade7c75b9cc994524ad671cc53
                                          • Instruction ID: fa24db219a490a19d1e778f8ebfa7c577273b47a538c3c8d5f8acc7f784c46b9
                                          • Opcode Fuzzy Hash: 4d938b0f46cbfac303987e74a6056f3121cd9dade7c75b9cc994524ad671cc53
                                          • Instruction Fuzzy Hash: CB212C71D002498FDB14CF9AC944BEEFBF5EF48310F148429E558A3290C779A944CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01070888 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                          Download Yara Rule
                                          APIs
                                          • K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 010708FB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2689937387.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1070000_3vj5tYFb6a.jbxd
                                          Similarity
                                          • API ID: EnumModulesProcess
                                          • String ID:
                                          • API String ID: 1082081703-0
                                          • Opcode ID: a3a86be2522de6eb8853d6d0bd49d49e611bd239a4f6005e48fd97f8b17779d5
                                          • Instruction ID: 183505498b6f3bac70f61fac435741b433b075a6cd57cc8f2cf011e3763db639
                                          • Opcode Fuzzy Hash: a3a86be2522de6eb8853d6d0bd49d49e611bd239a4f6005e48fd97f8b17779d5
                                          • Instruction Fuzzy Hash: 9D21F2B6D002499FCB10DF9AC584BDEBBF5EF48320F108429E958A7250D778AA44CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0113A3D8 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0113A44C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2690125520.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1130000_3vj5tYFb6a.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID:
                                          • API String ID: 544645111-0
                                          • Opcode ID: d3868d03cf68b6f0b390142d0db5d697c225f66be33d1751c665923dc3c63028
                                          • Instruction ID: 55452c1b112ee6cd043d1bb4a89f46a0c504e22d378e31a736bd1f8745326a76
                                          • Opcode Fuzzy Hash: d3868d03cf68b6f0b390142d0db5d697c225f66be33d1751c665923dc3c63028
                                          • Instruction Fuzzy Hash: E11127B1D002089FDB14DFAAC844AAEFBF4EF48320F148419D419A7250C778A944CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0113F8E0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0113F94E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2690125520.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1130000_3vj5tYFb6a.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 1ccd7d3d76163b26fa122f9200f1e937491426a1fdce1320438e34ede41c9c13
                                          • Instruction ID: f0e656a4d7d35d7ea4dfd533e66e001b840e68128d633534450345bf18b88469
                                          • Opcode Fuzzy Hash: 1ccd7d3d76163b26fa122f9200f1e937491426a1fdce1320438e34ede41c9c13
                                          • Instruction Fuzzy Hash: E61126718002499FDB14DFAAC945AEFBFF5EF88320F108419E519A7250CB79A544CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0113A5A8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2690125520.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1130000_3vj5tYFb6a.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 2f01d2085761955ebfbc8cd0feb390c66d8334b2e60bf239e717454c63eeaa6e
                                          • Instruction ID: 7378d5e264b2c30db5e312308d30d45054fe121f1c0c241c8e3031701a6b75e3
                                          • Opcode Fuzzy Hash: 2f01d2085761955ebfbc8cd0feb390c66d8334b2e60bf239e717454c63eeaa6e
                                          • Instruction Fuzzy Hash: 0A1136B1D002488FDB24DFAAD5457AFFBF5EF88320F208419D559A7240CB79A944CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ECD0F0 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2675088955.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ecd000_3vj5tYFb6a.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 75631cfd61a758750dc64494d0fc6846cdf64877b9bc5fc799243c562b90f29c
                                          • Instruction ID: bafc714d31f0ed846f1e78ccf5cb54d56f933dcf61cc4424f8bf3fba59b1764a
                                          • Opcode Fuzzy Hash: 75631cfd61a758750dc64494d0fc6846cdf64877b9bc5fc799243c562b90f29c
                                          • Instruction Fuzzy Hash: A321C3B16492449FDB04DF14DE80F2ABBA5FB94728F28C57DD8095B251C33BD847C6A2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ECD0EB Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2675088955.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ecd000_3vj5tYFb6a.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f60d13eede1d90ee772a828cada2728786931f3453aff5888d83412b0df648b6
                                          • Instruction ID: 219307c6c61b3f58bbf79ce18520e34e6f63300db1a65e2c5edd2cc62da254a4
                                          • Opcode Fuzzy Hash: f60d13eede1d90ee772a828cada2728786931f3453aff5888d83412b0df648b6
                                          • Instruction Fuzzy Hash: 6F11C471509280DFD701DF14DA84B15FB61FB94318F28C6AED8495B652C33BD80BCB52
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 01132178 Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2690125520.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1130000_3vj5tYFb6a.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'jq
                                          • API String ID: 0-3676250632
                                          • Opcode ID: 6f8d6366a2f4bbe03de40189fe3f00e3db956f30a866b58dcf781a70856917c8
                                          • Instruction ID: 54b9d25bb42d8022c9286e97bebfdcea62d61a50d3d0bc3e10dbcc29ba356e97
                                          • Opcode Fuzzy Hash: 6f8d6366a2f4bbe03de40189fe3f00e3db956f30a866b58dcf781a70856917c8
                                          • Instruction Fuzzy Hash: EF611570A046448FD748EF7BE951A9ABBEBFFC8300F14D139D404AB269EB35590ACB40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05AE54A8 Relevance: .3, Instructions: 266COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2692306373.0000000005AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5ae0000_3vj5tYFb6a.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 226a4a868f480710118b8be8d69b206aff26029ff0bfffae9ecd03f54273569a
                                          • Instruction ID: 2a7b5ee6dae5de45b632e27f98446cb5fdd97a317377cf6ccccedb49a7f82631
                                          • Opcode Fuzzy Hash: 226a4a868f480710118b8be8d69b206aff26029ff0bfffae9ecd03f54273569a
                                          • Instruction Fuzzy Hash: 0EA19D71E00529DFCB14CBA9D980AADFBF1FF88309F288669D455E7205D730E952CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05AE5499 Relevance: .2, Instructions: 183COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2692306373.0000000005AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5ae0000_3vj5tYFb6a.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 81b978da9864c8ac54efc4c1c0fa73e6d17b096defb9c1ec4b22e5043dc1e7b5
                                          • Instruction ID: 7a44542e6710b90690c481a6cc74c1ff0365bacee3f94292ff980e79a6730c23
                                          • Opcode Fuzzy Hash: 81b978da9864c8ac54efc4c1c0fa73e6d17b096defb9c1ec4b22e5043dc1e7b5
                                          • Instruction Fuzzy Hash: DA715D71E006299FCB14CFA9D984AAEFBF2FF88315F188529D454E7205D7309942CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Executed Functions

                                          Function 016A65C8 Relevance: 6.7, Strings: 5, Instructions: 441COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (ojq$(ojq$(ojq$,nq$,nq
                                          • API String ID: 0-954490635
                                          • Opcode ID: 9de48fb3d8bc01e767cff5aec45c29a130e0e46fd71a9ee8570c63708532c342
                                          • Instruction ID: 203fe1a3d35d5031b8ffbaa1ef76661be6d2001b3b310aa62e5ec3ed283e8998
                                          • Opcode Fuzzy Hash: 9de48fb3d8bc01e767cff5aec45c29a130e0e46fd71a9ee8570c63708532c342
                                          • Instruction Fuzzy Hash: 6E024A70A00219DFDB15CF69CD84AAEBBB6BF88300F998069E915AB3A5D730DD51CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A4577 Relevance: 6.5, Strings: 5, Instructions: 204COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 0oqp$Ljqp$Ljqp$PHjq$PHjq
                                          • API String ID: 0-3005213711
                                          • Opcode ID: 627a1e2480c2954cf5372fd3d5476f5d1d910c9630bc1b72858abdd4dd7d9a32
                                          • Instruction ID: 2be27be5e713d246ed09080bababb71b9162143f0833212987b85090077d2d36
                                          • Opcode Fuzzy Hash: 627a1e2480c2954cf5372fd3d5476f5d1d910c9630bc1b72858abdd4dd7d9a32
                                          • Instruction Fuzzy Hash: 7A91D274E002588FDB14CFA9D944A9DBBF2BF89310F64C06AE409AB365DB749D45CF10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A9278 Relevance: 3.4, Strings: 2, Instructions: 918COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (ojq$4'jq
                                          • API String ID: 0-4148772637
                                          • Opcode ID: 5da52f6acbfdd0427818c854c6707ed201e9c924db3f673b715a13011f99e7cd
                                          • Instruction ID: 814369b9f261536c0e15334c4b2a2acbad6c28d57e5c1ae3934f40104881bbff
                                          • Opcode Fuzzy Hash: 5da52f6acbfdd0427818c854c6707ed201e9c924db3f673b715a13011f99e7cd
                                          • Instruction Fuzzy Hash: 08826A30A006099FCB15CF68C984AAEBBF6FF88304F658559E5069B3A6D734ED51CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A5FA0 Relevance: 3.0, Strings: 2, Instructions: 515COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (ojq$Hnq
                                          • API String ID: 0-4162186043
                                          • Opcode ID: c52a97c896edb7ecb88b096278e6860e326e84dae7cc2002e4b868fdace1cca6
                                          • Instruction ID: 0d1c24a7a0256138832d8330b7b6ec31ad0af5acd05795fe2e9132d111b21ac2
                                          • Opcode Fuzzy Hash: c52a97c896edb7ecb88b096278e6860e326e84dae7cc2002e4b868fdace1cca6
                                          • Instruction Fuzzy Hash: B6129C70A002199FDB15CF69CD44AAEBBF6BF88300F148569E80A9B395DF349D42CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A6CF1 Relevance: 10.5, Strings: 8, Instructions: 510COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (ojq$(ojq$(ojq$(ojq$(ojq$(ojq$,nq$,nq
                                          • API String ID: 0-912422979
                                          • Opcode ID: 3abdceac43d0d15eb841473ca8bb84b2b5939b12dfdbc922103d3f227c62489c
                                          • Instruction ID: 9f999099757092615127729c05bfc6730916411bfa2c1a8c47e70fb9fd8e37fb
                                          • Opcode Fuzzy Hash: 3abdceac43d0d15eb841473ca8bb84b2b5939b12dfdbc922103d3f227c62489c
                                          • Instruction Fuzzy Hash: 46223930A002498FCB15CF68D984AAEBBF6FF89310F5985A9E5059B3A2D731ED45CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A8280 Relevance: 4.3, Strings: 3, Instructions: 565COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'jq$4'jq$;jq
                                          • API String ID: 0-1429056558
                                          • Opcode ID: 986afbbbfce1d0a69195a36233207f2b7a45b822e6920a8412eaaab6420701e3
                                          • Instruction ID: 68bcdf442b371448e5edfec6fa7ade2c463aedf074f7d308834817c9906a17d0
                                          • Opcode Fuzzy Hash: 986afbbbfce1d0a69195a36233207f2b7a45b822e6920a8412eaaab6420701e3
                                          • Instruction Fuzzy Hash: 6B125E307042118FEB259A2DCD6473D7BAEEF85746F9540AAE502CB3A6DB29CC42CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A7688 Relevance: 3.2, Strings: 2, Instructions: 707COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $jq$$jq
                                          • API String ID: 0-3720491408
                                          • Opcode ID: 220920410ad1d0bbbe52decc411111167123dee5e8156fc6644ef074ea2eb183
                                          • Instruction ID: e0783909661d5ed53bc51e38d6cf69815b4a50be28487ba0dc9b90c55cce8e65
                                          • Opcode Fuzzy Hash: 220920410ad1d0bbbe52decc411111167123dee5e8156fc6644ef074ea2eb183
                                          • Instruction Fuzzy Hash: 93525E74A002188FEB559BA8CD60BAEBB77FF84301F1080ADC50A6B3A6CB355D85CF55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A2B71 Relevance: 3.0, Strings: 2, Instructions: 521COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Xnq$Xnq
                                          • API String ID: 0-10259684
                                          • Opcode ID: 29e21ca7e057bfda96d0f0db0eec2f462dda76df856d9450cf11c5fdde835c81
                                          • Instruction ID: df54c6b06c3a2c719c2a6dc5578d700b295b47a728bb7ade3e5d6215ab7c0924
                                          • Opcode Fuzzy Hash: 29e21ca7e057bfda96d0f0db0eec2f462dda76df856d9450cf11c5fdde835c81
                                          • Instruction Fuzzy Hash: D9025D796CC3D26BD7028A394C4B795FF16AF06710F0C86DAE5948F1C3E2A7958287D2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A5530 Relevance: 2.8, Strings: 2, Instructions: 325COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Hnq$Hnq
                                          • API String ID: 0-3075287205
                                          • Opcode ID: 134358d28e462fc3b2b397f34ca3189b554f4d21acc88bd3110e5b61270050b6
                                          • Instruction ID: ced4158c3e9a81009dd2ed3ee1a117b7c6af27ab7b1dfa8c2ffe79f74ca45e02
                                          • Opcode Fuzzy Hash: 134358d28e462fc3b2b397f34ca3189b554f4d21acc88bd3110e5b61270050b6
                                          • Instruction Fuzzy Hash: 9BB19B317042258FDB26DF68DC54A7A7BA2BF88314F558569E807CB3A5DB38CC42CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A5A90 Relevance: 2.7, Strings: 2, Instructions: 237COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ,nq$,nq
                                          • API String ID: 0-3932345633
                                          • Opcode ID: f64c0cc3e106c490e192ff199433916803ac7978cfdc7c20aa45092d82f5b385
                                          • Instruction ID: 939d2f3c2bce02eddc94fa3077f77b6c53251183218d5dc2829a3f8e769b6855
                                          • Opcode Fuzzy Hash: f64c0cc3e106c490e192ff199433916803ac7978cfdc7c20aa45092d82f5b385
                                          • Instruction Fuzzy Hash: D8917D34A002059FCB14DF6DCC9496EBBB6BF89211B9582A9D507EB3A9D731EC41CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A8E20 Relevance: 2.6, Strings: 2, Instructions: 147COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'jq$4'jq
                                          • API String ID: 0-1204115232
                                          • Opcode ID: b6ade959656a2484f48baa21d12e1888f7d810e368fcedb143a24f85f0f12b0f
                                          • Instruction ID: 3a2d8a7513c88b74071343014d894bf2c42e8f318c0cc232836696c4edc22e1e
                                          • Opcode Fuzzy Hash: b6ade959656a2484f48baa21d12e1888f7d810e368fcedb143a24f85f0f12b0f
                                          • Instruction Fuzzy Hash: FD5180307002459FDB159B6CCC44B6ABBAFEF88351F5480A6EA08CB356EB75CC018BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A4EF0 Relevance: 2.6, Strings: 2, Instructions: 101COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: V$d8oq
                                          • API String ID: 0-68100403
                                          • Opcode ID: bb6ca0871c63f0f14805e73eb504840fdf899dff85fbd80da0a0ac2ec6a9b6b1
                                          • Instruction ID: 8212cd95f774e7363831c357447307411499581b47a2499663ae748baf061e18
                                          • Opcode Fuzzy Hash: bb6ca0871c63f0f14805e73eb504840fdf899dff85fbd80da0a0ac2ec6a9b6b1
                                          • Instruction Fuzzy Hash: 13319F303007418FD725DB3DDC58B2A7BAAAFC5314F1484A8E1468B7B2DBA5EC04CB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A0F20 Relevance: 1.5, Strings: 1, Instructions: 240COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LRjq
                                          • API String ID: 0-665714880
                                          • Opcode ID: 5b6bc11f9d4a01b27f8130e694a255edfd232b0ef72b84feec8912a54c3ec811
                                          • Instruction ID: 34456f550924ad29fdf26ad4eedca161ff88fcfd860905dc9e2b4b01279fc3a8
                                          • Opcode Fuzzy Hash: 5b6bc11f9d4a01b27f8130e694a255edfd232b0ef72b84feec8912a54c3ec811
                                          • Instruction Fuzzy Hash: C4B1DC70A0120ACFCB14DFB8EA9499EBBB5FF48301B209579D405AB3A5DB396D05CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A0F30 Relevance: 1.5, Strings: 1, Instructions: 233COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LRjq
                                          • API String ID: 0-665714880
                                          • Opcode ID: 9de85d64695e1758712cf5445e76a07cf8c454c2fbc500d7a26986e2610d4097
                                          • Instruction ID: b5229e7d0d9f2b0193912555aad3ba8e688b67280c4c9f5a77eb23b0e7f37b62
                                          • Opcode Fuzzy Hash: 9de85d64695e1758712cf5445e76a07cf8c454c2fbc500d7a26986e2610d4097
                                          • Instruction Fuzzy Hash: B4B1BC70A0120ACFCB14DFB8EA9499EBBB5FF48301B209579D405A73A5DB396D05CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016AA0E0 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (ojq
                                          • API String ID: 0-3210286679
                                          • Opcode ID: d24875f5779c065ac41d675e5be0b1be4cc29ed72ca6af1bfa6341a12a735aa2
                                          • Instruction ID: 1e55c2a5ff323217b80dbf47a1c71596430570acebe8055cefc9af5ca081d312
                                          • Opcode Fuzzy Hash: d24875f5779c065ac41d675e5be0b1be4cc29ed72ca6af1bfa6341a12a735aa2
                                          • Instruction Fuzzy Hash: D841AE31B002589FCB199BA8DC146AE7BB6BFC9311F58846ED906D7392CA319C11CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A4F89 Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: V
                                          • API String ID: 0-1342839628
                                          • Opcode ID: aee2350c25bd30692d6721b113ab02be8871d11663aa6092f764ea4215d4a530
                                          • Instruction ID: 78f76e4d08fcf0c6b66c0222172e4d22b81130db0073532459b642927a71f7e1
                                          • Opcode Fuzzy Hash: aee2350c25bd30692d6721b113ab02be8871d11663aa6092f764ea4215d4a530
                                          • Instruction Fuzzy Hash: B741D0307487418FC726CB38EC58A6A3FB5AF82214B1844EEE446CB7A2DB659C05CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A4F0B Relevance: 1.3, Strings: 1, Instructions: 38COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: d8oq
                                          • API String ID: 0-2048867746
                                          • Opcode ID: 12c3e886dcdb9c6000c1d6a36224c68b8e89e09de23d16495f9990729f6682b1
                                          • Instruction ID: eb2d95baa474d869d1dee1b8e9c7f2c4e76afd5a6fb196803412d4bf2355f1ac
                                          • Opcode Fuzzy Hash: 12c3e886dcdb9c6000c1d6a36224c68b8e89e09de23d16495f9990729f6682b1
                                          • Instruction Fuzzy Hash: 67014F302007858FDB25EB2DDC48B6AFBDAAFC0314F14D928D15687665EFA4EC49CB41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016AA2A8 Relevance: .4, Instructions: 417COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f3bd3998604294dc61df9ed566fc8fdf020fd82b80b9c05f3ccc13cd3775169f
                                          • Instruction ID: 891f9d1ecc6d6dd795130208f2dec08943c456dc0f5b987f348ee782b56700ca
                                          • Opcode Fuzzy Hash: f3bd3998604294dc61df9ed566fc8fdf020fd82b80b9c05f3ccc13cd3775169f
                                          • Instruction Fuzzy Hash: EEF12C75A002158FCB15CFACC9889ADBBF6FF89310B5A845AE505AB365CB35EC41CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A72D0 Relevance: .2, Instructions: 201COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 18dde3b3ed959506870470828a61a5c5ec01782de338f692246ef6aad530b4c3
                                          • Instruction ID: a24072ec864c67d2a601d2d408b1ab623c180406a638a6e5f0cd4fb9b394139c
                                          • Opcode Fuzzy Hash: 18dde3b3ed959506870470828a61a5c5ec01782de338f692246ef6aad530b4c3
                                          • Instruction Fuzzy Hash: D871F3347002458FDB25DF28C898A6A7BE6EF49744B5900A9E906CB3B2DB72DC41CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A37D0 Relevance: .1, Instructions: 134COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fe2878b0b3fe68c2457cfdac92c7facef9468b4513c9c948f041c99cfc112807
                                          • Instruction ID: e572aec3b7c395777d53a83e4ea8070fe0de8c150ae0c3171b6ae8089698f447
                                          • Opcode Fuzzy Hash: fe2878b0b3fe68c2457cfdac92c7facef9468b4513c9c948f041c99cfc112807
                                          • Instruction Fuzzy Hash: F0517274E01208DFCB18DFA9D98499DBBB2FF89310B609069E805BB364DB35AD46CF54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A94F3 Relevance: .1, Instructions: 126COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 56448f62ad4161884a72080dcf3e744b96cdd8a4cfc2d79fa3b99762b66b9341
                                          • Instruction ID: 38b9784e191bc083c269d3d352be5d9dfc10014b8726ae802ba4d7e789765ca7
                                          • Opcode Fuzzy Hash: 56448f62ad4161884a72080dcf3e744b96cdd8a4cfc2d79fa3b99762b66b9341
                                          • Instruction Fuzzy Hash: 6041BB30A002599FDF22CFA8CC45AADBFB2AF49318F608055E9559B256D331ED15CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A6BF1 Relevance: .1, Instructions: 114COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b3fb18502806bbdd65fd3937e9b3349020621a1b13aa3876df9b08a22351f323
                                          • Instruction ID: 8fa22a45e0f8ff90b123bf360c2e4c2d444cfd970c3ec6eb9bf726f9a2b329a7
                                          • Opcode Fuzzy Hash: b3fb18502806bbdd65fd3937e9b3349020621a1b13aa3876df9b08a22351f323
                                          • Instruction Fuzzy Hash: 15415E71A046109FC716CF6CCC48A557BA5EF4A324B5986A6E91ACF3B2C331EC11CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A4850 Relevance: .1, Instructions: 101COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 43f1993996673e3bb8a2e6db579b2b493a1773420d53cc1cafd8f3863c7f788b
                                          • Instruction ID: ec509542897c1fa09a4ea297493d1e5b2f8d98a951531e6ad26a2c064cbf58ee
                                          • Opcode Fuzzy Hash: 43f1993996673e3bb8a2e6db579b2b493a1773420d53cc1cafd8f3863c7f788b
                                          • Instruction Fuzzy Hash: 74315B3160410A9FCB169FA8DC44ABF3BA6FB88211F544028F9059B395CB79CD61CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A7568 Relevance: .1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5c197b7ece5bb202ef61ffbf9e6863693fd69bad9104128f368c88a3356fbcee
                                          • Instruction ID: e4056ba9aef751f0c3500566d3fd3e0f0c9b9b17a5ffb30b55832faa8d181789
                                          • Opcode Fuzzy Hash: 5c197b7ece5bb202ef61ffbf9e6863693fd69bad9104128f368c88a3356fbcee
                                          • Instruction Fuzzy Hash: 3F21E5307042614FDB2A173D8D5467E7B97AFC9654B98507AD402CB3AAEF26CC029F91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016AA297 Relevance: .1, Instructions: 93COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e3772969e3ccfc2627262be8256f31703fb1df560949ecc1bb0fcae4e2e1ce78
                                          • Instruction ID: 3d42a944289fb5993801578cb26fe3e32415ea5bee8aafc1f866a3c562b5ec60
                                          • Opcode Fuzzy Hash: e3772969e3ccfc2627262be8256f31703fb1df560949ecc1bb0fcae4e2e1ce78
                                          • Instruction Fuzzy Hash: 9C319270A006158FCB05CFACCC849AFBBB6BF89320B55855AE515DB3A6CB759C42CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A7578 Relevance: .1, Instructions: 87COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 73cedfbe89b2ff97779126620d13e547a9645a419de64218b63d73843cc39aa6
                                          • Instruction ID: 52fd9475fb8a744a69f4b0643fa57104d32b66523b5fb59174812e645fe75af2
                                          • Opcode Fuzzy Hash: 73cedfbe89b2ff97779126620d13e547a9645a419de64218b63d73843cc39aa6
                                          • Instruction Fuzzy Hash: FE21D4303042214BEB2A272D8D54B7E768BAFC8714F945039D506CB399EF3ACC42DB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A8D8A Relevance: .1, Instructions: 86COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2f54dbb3fc6a2a472ae5e027742df5f16c6ede47f71733fccec507f3add386ae
                                          • Instruction ID: 2caf21ba37819452ebd716a1d7d7874234b68e12b20a8fd760993e24bbef982b
                                          • Opcode Fuzzy Hash: 2f54dbb3fc6a2a472ae5e027742df5f16c6ede47f71733fccec507f3add386ae
                                          • Instruction Fuzzy Hash: F931AD31605245DFCB12DF1CD8849AABBFAFF49361F9488A2E944D7215C731ED228BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A4840 Relevance: .1, Instructions: 83COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 97f699a78dd64bfe5b5bd7099369507e8b126c103edb17c24526e925d52a8eaa
                                          • Instruction ID: badbf16f4befb298afb77c67ea7bb693efff6564c478b49de0dd442d8e2dfcff
                                          • Opcode Fuzzy Hash: 97f699a78dd64bfe5b5bd7099369507e8b126c103edb17c24526e925d52a8eaa
                                          • Instruction Fuzzy Hash: DD31D131A042858FCB269F28EC0863B3BA6FB45311F59446DE505CB396CB78CC15CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A1B20 Relevance: .1, Instructions: 77COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 07c69ea0c246c93b8b3296890857602ce495a6ba42b3975e9c4d585fa8c090a2
                                          • Instruction ID: b60edef477c742ef58422696f3a5ccf854be195078deb5412db8b3ae4372c4d7
                                          • Opcode Fuzzy Hash: 07c69ea0c246c93b8b3296890857602ce495a6ba42b3975e9c4d585fa8c090a2
                                          • Instruction Fuzzy Hash: 8D21B235A001159FCB15CF78C9409AE77B5EF8A260F50C069D8199B354EB35EE02CBC1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A58F5 Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d7a7cd2a2f98d70a89e93539ed345fcb2d0b155aeffd3b328b1c461cce1e1b26
                                          • Instruction ID: 7e62ac294f5cf72978c6b03d75b073b1a8382703874f435edcb0d86c4bb67ff1
                                          • Opcode Fuzzy Hash: d7a7cd2a2f98d70a89e93539ed345fcb2d0b155aeffd3b328b1c461cce1e1b26
                                          • Instruction Fuzzy Hash: 3E21CD357006128FD729DA69DC5493EB7A2FB8A621B15816AE907CF3A4CF34DC028FC0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0160D4F0 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2744995907.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_160d000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8556ac1206145bb6daa5cab8508eb5e0966880434f50c7640a8c6bf4ce9130d0
                                          • Instruction ID: 216597ffaf59f7e5d04b87fd900d57bf572c840b441ea54b50bdf3f15df8f058
                                          • Opcode Fuzzy Hash: 8556ac1206145bb6daa5cab8508eb5e0966880434f50c7640a8c6bf4ce9130d0
                                          • Instruction Fuzzy Hash: 9121C471504204DFDB1BDF98D980B27BF65FB98318F248669ED090A296C337D456CAA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A8959 Relevance: .1, Instructions: 65COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c6c5a715fce6d289a102258c464698be1f01f52c358ac14b832e67f008dbc18e
                                          • Instruction ID: 4f12d85c79d8a13bd0ff4cd82110301290d89c46d91bf05439204f416efe906d
                                          • Opcode Fuzzy Hash: c6c5a715fce6d289a102258c464698be1f01f52c358ac14b832e67f008dbc18e
                                          • Instruction Fuzzy Hash: 8C214B70A002489FDB15CFA9D950AAEBFB6FF88241F64806AE551B7290DB359D41CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A58F8 Relevance: .1, Instructions: 59COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d261c3e9b3e8a5d887b2b5e5d1486dc839e0747bef6f035893db0fa17082d33c
                                          • Instruction ID: df31f11d5d1a509318f64513e62461e7286f2663784f12a552c8480054e1422f
                                          • Opcode Fuzzy Hash: d261c3e9b3e8a5d887b2b5e5d1486dc839e0747bef6f035893db0fa17082d33c
                                          • Instruction Fuzzy Hash: 1111CE313006128FD7299A2ADC5493EB7A6FF8A66175500A9EA07CF364DF24DC028BC0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A1A1F Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d14c20f8a5975de8b2379beb8a484eb32677a5de412fbbbdc6de2fadf5533b5a
                                          • Instruction ID: 801495c607302ec037859c9f9d07f19b9d743978c5a926b75fcc84ee4303f17a
                                          • Opcode Fuzzy Hash: d14c20f8a5975de8b2379beb8a484eb32677a5de412fbbbdc6de2fadf5533b5a
                                          • Instruction Fuzzy Hash: 6121ABB4C0520A8FCB50EFA8D9555EEBFF4FB4A310F10916AD805B3224EB345A95CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0160D4EB Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2744995907.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_160d000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                          • Instruction ID: 8693b099d3e779a63bbfc55677f2f6f2aab698eb329948234fb839d48d0be179
                                          • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                          • Instruction Fuzzy Hash: 2C119D76504240CFDB17CF54D9C4B16BF61FB88314F24C6A9DD090A256C336D45ACBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A5091 Relevance: .1, Instructions: 52COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c00c9692ff84a238f5bfa93f5a821c6157418874eb6cd6dfae638f8207c080f8
                                          • Instruction ID: 50b1c034bdcd4b624be4440f2fc33b426feaead6f4db5016764d88f1b3ffcfe7
                                          • Opcode Fuzzy Hash: c00c9692ff84a238f5bfa93f5a821c6157418874eb6cd6dfae638f8207c080f8
                                          • Instruction Fuzzy Hash: 690184326442555FDB16DE699C106BF3FA7EBC9651B18802AFA06CB290DB31CC11CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A1AD0 Relevance: .0, Instructions: 25COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d36612c7e4268818c7e80cd45f8825bc053d72ba1d62a71178ed1545030cabf6
                                          • Instruction ID: c7da7712103779cfaef955f9172627b6cdf11954f6692bba887f8cbe2a9e0317
                                          • Opcode Fuzzy Hash: d36612c7e4268818c7e80cd45f8825bc053d72ba1d62a71178ed1545030cabf6
                                          • Instruction Fuzzy Hash: ECE0D831D103668FCB169B70DE050EEBF70FEC2320B45866BD55066164EB302A5EC7A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A5D31 Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ed6f2e7fb2735c92fd1320f3b2ad2acdc7680766b0d29ce98cba3dbc414d1064
                                          • Instruction ID: 99eabb98c3149ef0191023c01acf746302cdf833575c3b8ec23277a6f2370a84
                                          • Opcode Fuzzy Hash: ed6f2e7fb2735c92fd1320f3b2ad2acdc7680766b0d29ce98cba3dbc414d1064
                                          • Instruction Fuzzy Hash: 76E086744543454FC72BEF34AE444953F7AEE81205B08C5A6E4064A166D73D9C0E8B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A1AE0 Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d8f380fe5c9b075a9636130c7adf48786aa77b7465d5f4df2e8041174ce00f58
                                          • Instruction ID: abe0d539bdd350f02f572a56405242d6caece130a91899ba2cdc6af8340b7287
                                          • Opcode Fuzzy Hash: d8f380fe5c9b075a9636130c7adf48786aa77b7465d5f4df2e8041174ce00f58
                                          • Instruction Fuzzy Hash: DFD05B31D2022B57CB01E7A5DC044EFF738EED6261B544666D51437154FB702659C6E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A80F0 Relevance: .0, Instructions: 18COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                          • Instruction ID: e03a3704c8fe1038007f469f57256950523d4c30af29877763bfdd0c1c6d132e
                                          • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                          • Instruction Fuzzy Hash: 10C08C3320C1282BA225208F7C40EB3BB8CD3C23B7A610137F51CC3200A842AC8102F4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A5D40 Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 172b2d14c0953dfad886b37751f618a6b803ab2d1bae4f2bdb7647010e2cbf1e
                                          • Instruction ID: 22999be8b815538d5301280e7291346fc200ba4ea52db18fa87e6c2796cbf69e
                                          • Opcode Fuzzy Hash: 172b2d14c0953dfad886b37751f618a6b803ab2d1bae4f2bdb7647010e2cbf1e
                                          • Instruction Fuzzy Hash: 48C0C93014020A4EC62AAF75BF44926362EEA80205B505570A1090A269EE7D984C86A4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 016A1C10 Relevance: 5.2, Strings: 4, Instructions: 214COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Xnq$Xnq$Xnq$Xnq
                                          • API String ID: 0-1335687363
                                          • Opcode ID: 5797fc5ca10ccd78ce232b618cc7d2979e4cf6915eedc4c02040b2354a6b24fb
                                          • Instruction ID: 3e33911e3034094f374761773eee638f254c65ce6fd1c193425344f0e62a3044
                                          • Opcode Fuzzy Hash: 5797fc5ca10ccd78ce232b618cc7d2979e4cf6915eedc4c02040b2354a6b24fb
                                          • Instruction Fuzzy Hash: 3671E231E003198FDF21ABA88D507EEBBB6BF86300F54856AD505A7395DB308D85CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A1CA8 Relevance: 5.1, Strings: 4, Instructions: 89COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Xnq$Xnq$Xnq$Xnq
                                          • API String ID: 0-1335687363
                                          • Opcode ID: 4ee081d2bbcf2437b8bc0596f15d38d833107386312452b704b0a66762f3b81f
                                          • Instruction ID: c13682cc459dce80faf3861543772cc95456aac013c3d14c3c5cddd43ef59852
                                          • Opcode Fuzzy Hash: 4ee081d2bbcf2437b8bc0596f15d38d833107386312452b704b0a66762f3b81f
                                          • Instruction Fuzzy Hash: 23317272E002294BDF64AB6C8D5036FBAB6BB86300F544569C519A7385DB308E85CFD2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 016A5F20 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.2745320592.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_22_2_16a0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \;jq$\;jq$\;jq$\;jq
                                          • API String ID: 0-138087212
                                          • Opcode ID: ec17e4fc929f6f06b5e57a972b84a0bd57c22a3978eccd478347e0a8889ae6aa
                                          • Instruction ID: 5ace5fec3d171c0d380f454f4841677faa65c1babe6c5bc6a252bc068e366494
                                          • Opcode Fuzzy Hash: ec17e4fc929f6f06b5e57a972b84a0bd57c22a3978eccd478347e0a8889ae6aa
                                          • Instruction Fuzzy Hash: FE0156317406158F8B24CE2DC94092A77EEAF887607A981AAE503CB3B1DB30DC428F91
                                          Uniqueness

                                          Uniqueness Score: -1.00%