Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MicrosoftService.exe

Overview

General Information

Sample name:MicrosoftService.exe
Analysis ID:1465855
MD5:01fd03e1f9ddbeee002267238428ac26
SHA1:a3832b5be0fb96431c231e605b88a3c3776d4207
SHA256:d6573c5df0eb1cc96116089788e3cc17f647046f4806d10ac2d6a430c553bd15
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • MicrosoftService.exe (PID: 4612 cmdline: "C:\Users\user\Desktop\MicrosoftService.exe" MD5: 01FD03E1F9DDBEEE002267238428AC26)
    • powershell.exe (PID: 1496 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftService.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1480 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftService.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1628 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Service Host: Microsoft Service.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6512 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess ' Microsoft Service.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["89.213.177.81"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
MicrosoftService.exeJoeSecurity_XWormYara detected XWormJoe Security
    MicrosoftService.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      MicrosoftService.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xd903:$s6: VirtualBox
      • 0xd861:$s8: Win32_ComputerSystem
      • 0x10742:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x107df:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x108f4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xfb80:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1987205616.0000000000332000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000000.1987205616.0000000000332000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0xd703:$s6: VirtualBox
        • 0xd661:$s8: Win32_ComputerSystem
        • 0x10542:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x105df:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x106f4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0xf980:$cnc4: POST / HTTP/1.1
        00000000.00000002.3238237708.000000000275A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000000.00000002.3238237708.0000000002711000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            Process Memory Space: MicrosoftService.exe PID: 4612JoeSecurity_XWormYara detected XWormJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.0.MicrosoftService.exe.330000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                0.0.MicrosoftService.exe.330000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  0.0.MicrosoftService.exe.330000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                  • 0xd903:$s6: VirtualBox
                  • 0xd861:$s8: Win32_ComputerSystem
                  • 0x10742:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                  • 0x107df:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                  • 0x108f4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                  • 0xfb80:$cnc4: POST / HTTP/1.1

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftService.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftService.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MicrosoftService.exe", ParentImage: C:\Users\user\Desktop\MicrosoftService.exe, ParentProcessId: 4612, ParentProcessName: MicrosoftService.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftService.exe', ProcessId: 1496, ProcessName: powershell.exe
                  Sigma detected: Change PowerShell Policies to an Insecure Level
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftService.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftService.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MicrosoftService.exe", ParentImage: C:\Users\user\Desktop\MicrosoftService.exe, ParentProcessId: 4612, ParentProcessName: MicrosoftService.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftService.exe', ProcessId: 1496, ProcessName: powershell.exe
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\Service Host: Microsoft Service.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\MicrosoftService.exe, ProcessId: 4612, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Service
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftService.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftService.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MicrosoftService.exe", ParentImage: C:\Users\user\Desktop\MicrosoftService.exe, ParentProcessId: 4612, ParentProcessName: MicrosoftService.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftService.exe', ProcessId: 1496, ProcessName: powershell.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftService.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftService.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MicrosoftService.exe", ParentImage: C:\Users\user\Desktop\MicrosoftService.exe, ParentProcessId: 4612, ParentProcessName: MicrosoftService.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftService.exe', ProcessId: 1496, ProcessName: powershell.exe

                  Snort Signatures

                  Timestamp:07/02/24-07:38:56.500378
                  SID:2852923
                  Source Port:59133
                  Destination Port:7000
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:07/02/24-07:38:51.102958
                  SID:2852874
                  Source Port:7000
                  Destination Port:59133
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:07/02/24-07:39:03.281373
                  SID:2852870
                  Source Port:7000
                  Destination Port:59133
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:07/02/24-07:38:17.184940
                  SID:2855924
                  Source Port:59133
                  Destination Port:7000
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: MicrosoftService.exeAvira: detected
                  Found malware configuration
                  Source: MicrosoftService.exeMalware Configuration Extractor: Xworm {"C2 url": ["89.213.177.81"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
                  Multi AV Scanner detection for submitted file
                  Source: MicrosoftService.exeVirustotal: Detection: 64%Perma Link
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: MicrosoftService.exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: MicrosoftService.exeString decryptor: 89.213.177.81
                  Source: MicrosoftService.exeString decryptor: 7000
                  Source: MicrosoftService.exeString decryptor: <123456789>
                  Source: MicrosoftService.exeString decryptor: <Xwormmm>
                  Source: MicrosoftService.exeString decryptor: Service Host
                  Source: MicrosoftService.exeString decryptor: USB.exe
                  Source: MicrosoftService.exeString decryptor: %ProgramData%
                  Source: MicrosoftService.exeString decryptor: Service Host: Microsoft Service.exe
                  Source: MicrosoftService.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: MicrosoftService.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 89.213.177.81:7000 -> 192.168.2.5:59133
                  Source: TrafficSnort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.5:59133 -> 89.213.177.81:7000
                  Source: TrafficSnort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.5:59133 -> 89.213.177.81:7000
                  Source: TrafficSnort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 89.213.177.81:7000 -> 192.168.2.5:59133
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 89.213.177.81
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: MicrosoftService.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.MicrosoftService.exe.330000.0.unpack, type: UNPACKEDPE
                  Source: global trafficTCP traffic: 192.168.2.5:59133 -> 89.213.177.81:7000
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                  Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                  Source: Joe Sandbox ViewASN Name: EDGEtaGCIComGB EDGEtaGCIComGB
                  Source: unknownDNS query: name: ip-api.com
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: ip-api.com
                  Source: global trafficDNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
                  Source: powershell.exe, 00000008.00000002.2346795935.000001E6EE6E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                  Source: powershell.exe, 00000008.00000002.2346795935.000001E6EE6E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                  Source: powershell.exe, 00000008.00000002.2346613543.000001E6EE5C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                  Source: MicrosoftService.exeString found in binary or memory: http://ip-api.com/line/?fields=hosting
                  Source: powershell.exe, 00000002.00000002.2080152137.0000020617732000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2171858450.0000029515BA2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2322557886.000001E6E5FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2515625827.000001A89EDF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 0000000A.00000002.2384593841.000001A88EFAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000002.00000002.2064238466.00000206078E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2116445137.0000029505D5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2224681212.000001E6D618A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2384593841.000001A88EFAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                  Source: MicrosoftService.exe, 00000000.00000002.3238237708.0000000002711000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2064238466.00000206076C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2116445137.0000029505B31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2224681212.000001E6D5F61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2384593841.000001A88ED81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 00000002.00000002.2064238466.00000206078E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2116445137.0000029505D5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2224681212.000001E6D618A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2384593841.000001A88EFAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                  Source: powershell.exe, 00000002.00000002.2089582976.000002061FE38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt0
                  Source: powershell.exe, 0000000A.00000002.2384593841.000001A88EFAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 00000005.00000002.2184516749.000002951DFFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                  Source: powershell.exe, 0000000A.00000002.2548301136.000001A8A74CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.t.com/pk
                  Source: powershell.exe, 00000002.00000002.2064238466.00000206076C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2116445137.0000029505B31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2224681212.000001E6D5F61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2384593841.000001A88ED81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: powershell.exe, 0000000A.00000002.2515625827.000001A89EDF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 0000000A.00000002.2515625827.000001A89EDF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 0000000A.00000002.2515625827.000001A89EDF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: powershell.exe, 0000000A.00000002.2384593841.000001A88EFAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 00000002.00000002.2080152137.0000020617732000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2171858450.0000029515BA2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2322557886.000001E6E5FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2515625827.000001A89EDF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                  Operating System Destruction

                  barindex
                  Protects its processes via BreakOnTermination flag
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: 01 00 00 00 Jump to behavior

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: MicrosoftService.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.0.MicrosoftService.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000000.1987205616.0000000000332000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\Desktop\MicrosoftService.exeCode function: 0_2_00007FF848F112900_2_00007FF848F11290
                  Source: C:\Users\user\Desktop\MicrosoftService.exeCode function: 0_2_00007FF848F15EE60_2_00007FF848F15EE6
                  Source: C:\Users\user\Desktop\MicrosoftService.exeCode function: 0_2_00007FF848F121B10_2_00007FF848F121B1
                  Source: C:\Users\user\Desktop\MicrosoftService.exeCode function: 0_2_00007FF848F16C920_2_00007FF848F16C92
                  Source: C:\Users\user\Desktop\MicrosoftService.exeCode function: 0_2_00007FF848F117190_2_00007FF848F11719
                  Source: C:\Users\user\Desktop\MicrosoftService.exeCode function: 0_2_00007FF848F1AB580_2_00007FF848F1AB58
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848FF30E95_2_00007FF848FF30E9
                  Source: MicrosoftService.exe, 00000000.00000000.1987205616.0000000000332000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMicrosoft Service.exe4 vs MicrosoftService.exe
                  Source: MicrosoftService.exeBinary or memory string: OriginalFilenameMicrosoft Service.exe4 vs MicrosoftService.exe
                  Source: MicrosoftService.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: MicrosoftService.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.0.MicrosoftService.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000000.1987205616.0000000000332000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: MicrosoftService.exe, IunOeEUg9VFz5W.csCryptographic APIs: 'TransformFinalBlock'
                  Source: MicrosoftService.exe, IunOeEUg9VFz5W.csCryptographic APIs: 'TransformFinalBlock'
                  Source: MicrosoftService.exe, kntS28BuMXuNLY.csCryptographic APIs: 'TransformFinalBlock'
                  Source: MicrosoftService.exe, 6CHrrhJEpVmYJlCBT3XdMlJxNSCstYP6VICaDfzOIM7D1mlpjnMeUIBz3nuvyGkmHR4O46ag0qiBNN53Px1M6JN.csBase64 encoded string: 'hJSRx1xdYlPck0ynM0/ChXzA/+PlIA+P/eiszTtp3noVCkwGeFkSxQ7y7kBPHhE+'
                  Source: MicrosoftService.exe, hGngWN6oF78GgDwU1aeLwUv4EDP2w.csBase64 encoded string: 'wW96cVtTsaWJ0LJbGxtYDfBl1Byuv5jAAPTSlfSWIXtChZwCwlKNt4bb5qoccEKh', 'Z9Pym7821tJw6eva4xbbTfXtvWzME8HNaKXA2NNFE9ghgJOhxfctqCSr1S7LXWXU', 'ow8h6B2gKXw8Pjr6z7hn22fiWAfJtQeNTm6NSrvh9VTNInwsEpagpoF4wf6Sn35g', 'i6bmYus4XvBHCczyWAVOcZqA4rcoHWx59RxJkfiRI3U9G7YRy7wsaNJxBd7RjtGp', 'ix7BMqMVu2NPN7rUM0GptwdoitBCOLmqLC7a8J4pfjXRPLdVzbKFSE5jOKFGOJfE', 'TGvLQaZTexvhzdQRORSANyuxilxuWvLYnqxZ0iqtIUWS694dhQIN1xnKQ0bqdqnB', 'lHV3q55GMtbEJ2s7pXASi4NqOjaoxPMqgBxLKDcp7ty0eIEmwO2Q0Ox1hBcIozgS', 'Zm0TZHTWwdLKZJDeB3Uv645vHBSPVcGtHrSlKuFvPULiE1nZfPBlm8mado7uie7R5yXpsYp0ERjywxQStWLXRdDk33n9fd47', 'TJ6MbByOwlJNnIJBD1omhn6GpeeBHLAgzNpUsv3WtN2o8Poit9021LvrTXUSnJqQW8h0eiewYr8ygIkwXMcXBednmfKKDu6I', 'obzJN2tFOtVrv7tCqvoBoaF1dyGE1Le7OHdBmHxr8Nurhy8tvg7QyprW9ugC5weEmy8cNEPT65PQ0SbZu44w2LMwmPrXmxLU', 'hRyjNWpCxxsVaXTUJ6YtOjui3K40kOO7bF9Wo6dGtr7ysDAsWXwOcDtHQUUrD6R1txJt2G0tgOSYBivH9fQP29SdNAgCHx9T', 'zBkuC57ZWtUrM6QvBOOVa2g3CdqWoVnnr4BXOlt445JiXKm7qLFGQyWX9XPsahPsh8j5pWXKcP2KEDrAXNCqzjMC54nmpOqO', 'GeMBtWkATZTmSysZu0eG8FLoPv4l3b2ZYwRFgmeF2Wgyj3L8ncWhJuRDXAn8ub5ocJ6RRcUKRkP4j8j5YvaQw0cbsJMXdSHK', 'sDj5ZOphpii6G2HOXXrkbbJfIJ1vSC5RPM5XE6gDjab7C0fiSGDwdrOjlNK8etnsPcUgKh160ZYDSkfuTY4QilVRrIrXnPDt', 'WvS8aW0y0CC8g7gnwZPALhLqQTPBlWmRPH8vgAbXJxA22pq14ChqHPMwss34rgb0L2pQ6IrkCQ1tnoFsgps8iEvM7DdtBXup', 'xZOOgaq0KuqrJ7UluxfbqQ79wyYXilDxoHJR1UzAGsIxkFnMz0fzCB9gemokmmedZSwRBXmHXZH1PgD5DRwxHfKhBwQ5hreN', 'XCpEm4Z2hwR8iwOjgsguyjCTHaI8vKx0aiwoSnr6bGJkBPWoYCMlKFAZafxv7zPKtpFHdruSCWWLEwOZn7e18Ri2j6K0mVRR', 'Q4zJf8iyz0LEFzV8O5UUr5bBlK3blfDSswrbWvPseTLHvT6CFWfzmLzSEHr59MKSc1F3g7cODmCuvUeZHdA9mVHn2e8tJSFZ'
                  Source: MicrosoftService.exe, XVbAF4jtME9i68tf4sSgoxKRilC8u.csBase64 encoded string: 'S8TNdgOqQeRTBFzJAdFfNuzYMB4mco6bL3JrTzX9NhZ3vVF9Y8H6yUjFHy9Bjd40', 'oT4ZfAtVvFZKEvYNSEL5Dh9FE88lvZFll9cwNAvnLSJWekRmPZd2Pejp7VUOpWXR', 'MHCrNNJFEX2G6JnuScjGfD1eO3jkkWZQafg8MG81lwJ0mJCuG4mOYYkyUtNeyC4p', 'napaUCBRKH2nyEYqp4tXG6oLD9qDbaevIdA3IegUTyfjG8f8vjGzGhcyoOHB1DCf', 'x1TkNpnWwzmj8EfqbG0wDj5dE0zLYITekJLE2QzxK4mWlhbHBKYiVVg4kOMHbbuf'
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@13/18@2/2
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4724:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4676:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2944:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3332:120:WilError_03
                  Source: C:\Users\user\Desktop\MicrosoftService.exeMutant created: \Sessions\1\BaseNamedObjects\oRLySGX7fI9tVuHC
                  Source: C:\Users\user\Desktop\MicrosoftService.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                  Source: MicrosoftService.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: MicrosoftService.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\MicrosoftService.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: MicrosoftService.exeVirustotal: Detection: 64%
                  Source: unknownProcess created: C:\Users\user\Desktop\MicrosoftService.exe "C:\Users\user\Desktop\MicrosoftService.exe"
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftService.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftService.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Service Host: Microsoft Service.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess ' Microsoft Service.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftService.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftService.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Service Host: Microsoft Service.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess ' Microsoft Service.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: dlnashext.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: wpdshext.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: avicap32.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: msvfw32.dllJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\Desktop\MicrosoftService.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\MicrosoftService.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: MicrosoftService.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: MicrosoftService.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: MicrosoftService.exe, gsjOUyIdYvcE5R1NvRtlaLbBqFNvM.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_6CHrrhJEpVmYJlCBT3XdMlJxNSCstYP6VICaDfzOIM7D1mlpjnMeUIBz3nuvyGkmHR4O46ag0qiBNN53Px1M6JN.SfsTYiria38kX8oI0mbjc5WtvhIGQI3Z00v4cr5ML4PsOFPsaabuHaQUSr1Qdz4gWVXUxAM8rpRuwNxy3LGEQTG,_6CHrrhJEpVmYJlCBT3XdMlJxNSCstYP6VICaDfzOIM7D1mlpjnMeUIBz3nuvyGkmHR4O46ag0qiBNN53Px1M6JN.QhylRK5krPcj8Ps0WaIasDdYcw1AxL39Et8U5PTtHMpTWAQThNEN36ptpou87wyiAcWiwqnwj2Wf89PCuyWDnUr,_6CHrrhJEpVmYJlCBT3XdMlJxNSCstYP6VICaDfzOIM7D1mlpjnMeUIBz3nuvyGkmHR4O46ag0qiBNN53Px1M6JN.jfOPGWF7UkPg95lqATQGlD8yE2PtAbszMRd4GknWRXslelYjZtC6LlGJCAkfdHjJf33L8p6fsiTld3YD8TMvs15,_6CHrrhJEpVmYJlCBT3XdMlJxNSCstYP6VICaDfzOIM7D1mlpjnMeUIBz3nuvyGkmHR4O46ag0qiBNN53Px1M6JN._4SEotEzPs9t0AgJ7gZXPvfJuv2fCAgsvAJR91imgq47njtlAEu5DDteEo4qRz4SK5JunFspiQhhcCnSADYmWVfT,IunOeEUg9VFz5W._5fhdLO3hcaZNCB()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: MicrosoftService.exe, gsjOUyIdYvcE5R1NvRtlaLbBqFNvM.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Hjqqf7ujnHVbWS[2],IunOeEUg9VFz5W.NT8ltqelnK6JMG(Convert.FromBase64String(Hjqqf7ujnHVbWS[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: MicrosoftService.exe, gsjOUyIdYvcE5R1NvRtlaLbBqFNvM.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Hjqqf7ujnHVbWS[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                  .NET source code contains potential unpacker
                  Source: MicrosoftService.exe, gsjOUyIdYvcE5R1NvRtlaLbBqFNvM.cs.Net Code: TJBf9SEDM9G6QAZx96i1dxsjwCQF7 System.AppDomain.Load(byte[])
                  Source: MicrosoftService.exe, gsjOUyIdYvcE5R1NvRtlaLbBqFNvM.cs.Net Code: _55D8A01H2glzqv9MwgCdI5hRbG8lq System.AppDomain.Load(byte[])
                  Source: MicrosoftService.exe, gsjOUyIdYvcE5R1NvRtlaLbBqFNvM.cs.Net Code: _55D8A01H2glzqv9MwgCdI5hRbG8lq
                  Source: C:\Users\user\Desktop\MicrosoftService.exeCode function: 0_2_00007FF848F100BD pushad ; iretd 0_2_00007FF848F100C1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848E2D2A5 pushad ; iretd 2_2_00007FF848E2D2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F4B9FA push E85A2DD7h; ret 2_2_00007FF848F4BAF9
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F400BD pushad ; iretd 2_2_00007FF848F400C1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848E0D2A5 pushad ; iretd 5_2_00007FF848E0D2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848F200BD pushad ; iretd 5_2_00007FF848F200C1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848DED2A5 pushad ; iretd 8_2_00007FF848DED2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848F000BD pushad ; iretd 8_2_00007FF848F000C1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF848DFD2A5 pushad ; iretd 10_2_00007FF848DFD2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF848F100BD pushad ; iretd 10_2_00007FF848F100C1
                  Source: MicrosoftService.exe, awGLWRCclgiR7y.csHigh entropy of concatenated method names: 'THwLBUV5IZiqY1', 'qdco2sgjEwmKld', 'wIAXplAqxBMPpQ', '_6M224WwQWlPKIsWfw744FT2q', 'AlBqbsfGZbIIvaM9ee5XqY2K', 'PXxkzj5dF1AVRkWzWeMptavk', '_9CRmTTJoHjjLpauJl2cy4AQv', '_2tpmeZtMecmkc3TcUbxjPYE5', 'oSF5UDpKKI5FxEgnHVK7DSXE', '_6pXrHPSrq5t1W6tF4E1gygSP'
                  Source: MicrosoftService.exe, 6CHrrhJEpVmYJlCBT3XdMlJxNSCstYP6VICaDfzOIM7D1mlpjnMeUIBz3nuvyGkmHR4O46ag0qiBNN53Px1M6JN.csHigh entropy of concatenated method names: 'X472cHTpOSTi6jC9Uskt4iQw8hZT91C15JPMoA0Pk2iJSelms7OafzY46iPW11xmDvi0Q20ML34YwXD', 'zu21MCSQDl2TGcNw99Hniugl0Onnt0810dgnH01lgOWaupwaAIczNSqSF9knl5zdhnfm0M2uhDc8CaO', 'KofcdyKt87ysycXKurBhIi0t31GpJbVVQxedQsv3J6HdkJFngftvZM3N4Vj4I8pvmkdD4GtRFzOqV6V', 'oRuu60O0IgIMkSJWjofiHRwB6zHWkqFMP7u5NTmXkNEbI3ZE84MNiS3bCODLdWdjvkD01LTIaH1vR1C'
                  Source: MicrosoftService.exe, ZRg8rs5jY5j.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Js2UmYz1pJlSIHfhOxoJ5rdYJ4Be1RbZQB53xdWJfwdFnm1ehhTNBbDOpEvdY8K32eK7YyoQ9QhyD1c', 'bC9nxvWf4Cje7PoHY4MaN8nvh4J3wM6yVEpQHorc3yGWX2qs9RntyzV0xo7IH8eoaAbMnQyHb6idpbo', 'pZhXXGkQU8T2iZ8hQiXeLGaF6sajZW3Ecf8zZUmyWGFWrcHARK0X0MenpmJL0jr39L1ZRRbK39N9CA6', 'NNSvt5wZpHuueZQ7ILYZNqLR3Rt7AkE570KyKaauwMSGnJwssNCzdQWmOHKYG3vy1ZlzQwZHb5uJazZ'
                  Source: MicrosoftService.exe, IunOeEUg9VFz5W.csHigh entropy of concatenated method names: 'iWKt9LrhPqaak3', 'CnLGciH6qZ75D7', 'p5YGdzfAyWwktx', '_5L6TSyhyOcHBmA', 'Rm2ZZdaOR0pb0Y', 'KVV2bsnzZd4rWk', 'w1mcqjhMy7shmb', 'oDCvyUkdx21Dvv', '_2Jmi56Z4Ce1LKq', 'lPqNbVZaWzB5fr'
                  Source: MicrosoftService.exe, hGngWN6oF78GgDwU1aeLwUv4EDP2w.csHigh entropy of concatenated method names: 'ZpVtnrxPWSiauvAXD7EfVCK1mW1jF', '_0LTT91MZbb7CpcGxBOFdjsSr1A2N2', 'Y569x86UQoTH6tetirhpyUnt9tYCE', 'aM0wPLN4cfMtDYbcbgtGO63JOo0ke', '_45LiIpE6FHaChKWqIUekghznrYJKW', 'u9lkpWZAh27j6LkYzHsmrMe9u3CZJ', 'LnqOgE6I1kSrEXMfekXgZH0IVnAij', 'Gj4pFLPygN03w7m0KXLa5Q4IybZgX', '_8ndWzPvXNrr9z5ljVx68EFxMjMSoE', 'CL1RhozfdyMkaGWHBvT7CbcCr7Cjj'
                  Source: MicrosoftService.exe, XVbAF4jtME9i68tf4sSgoxKRilC8u.csHigh entropy of concatenated method names: 'XicJOB0j3mziLSel5qceMCXZP4mQo', 'jdnl2vuKCY99GEtDVn0dShtrNiSkg', 's1QCZ0qHCXVep9KGgNWCO3qXMmuar', 'P73T7ZQUXVDMEhZdQcLdET08sZcvw', 'WzYSqoCS9RLkdCFbueFjoV21RiGPw', '_3XDeW3xEl2hLCiLtoHX5xLkjUJVRU', 'gNfPGc57hixVUDwu9ZjOqqDAtVmt6', 'ZTmT4BvZhqD4QqWsIY77iEKCdjCxV', 'Mvu6EZaRZWE6Z3YMhhptVpSMH39Rq', 'CyL89AsENOkF1nZPQNjPGptNjd4PB'
                  Source: MicrosoftService.exe, gsjOUyIdYvcE5R1NvRtlaLbBqFNvM.csHigh entropy of concatenated method names: 'XYNiFKGjaAyzvOzocpW1Y8abKZmqj', 'TJBf9SEDM9G6QAZx96i1dxsjwCQF7', 'nfkxqlxExlugFJYNTGlc6LAG8flxi', 'q1AaL2UPJ65QNlHZ5jCrhaq8F3wfi', 'Ma19xe1YTgtf2OK6mxcVIqRZnacXg', 'HyskcJk3zR2i6T3GHUZUQ58jx73op', 'ZclglDt0GZBJoU7ogPHTiVk6KE3Qo', 'w6j0QcIWbNyIdlw1xxNhzPQ2wKg4f', 'wNItLeo8p5jymSQo041f9Hokt86TK', 'EcwwRMtuKi5Ck2NAeQze8zixKmwUL'
                  Source: MicrosoftService.exe, kntS28BuMXuNLY.csHigh entropy of concatenated method names: 'Zkglc8TVWgRQ57', 'YkHAo6rldl0nYK11jB81TprtUMJl2dqTlxRqQNu', '_6yMCUBnvwTD55LEEhT6aVYMZSFo9eNPQ2E2mnkh', 'MxpP3D6B2ZGGEzRt65nJFBGn', '_2qytIIQ8CWdhjBrUuMBYHHdk'
                  Source: MicrosoftService.exe, qBmrPlfi0o40ZK.csHigh entropy of concatenated method names: 'HPJzN6M6ehFrjJ', 'VPXHQFBivyeGsb', 'pSoLQS12HYGHsl', 'uvAiLmZpXjzvrS', 'sBjst8DmIBy7CDrzitqSpdiXRZgBzC0urEoXWla', 'LhNI44p1ixKgiZKCiwWm1GkUTS17L8OI09R17Wi', 'NYvlOlFDsBNnHPhAW1dWAGgDfh3ZHtsWEyb6BjB', 'A8FxB02E9Zn759lLDxZ4MdOsKi71QUy7ypd0wLX', 'CaDQUghydgZFk9vJZl4J3pbQ3uwtCWOaJ5xYHCV', 'voeDoPvoRM8qRqj4mg91u9EpdC9XF8ewtBsMede'
                  Source: MicrosoftService.exe, UuZPnrJXmagl5d.csHigh entropy of concatenated method names: 'VHgZs2riGylt2k', 'UoEEiVXUV9q4CeAAZftwotIMRXKSHCUqWfHHK0s', '_1b4JoxMBzdxGshbcj1IliIEk4nxPNTHoAhnvsgW', '_4qz1CGmSpexjDlrpxvlw7wNX3K3sYfkwi9alK9t', 'FSKROrXtZjAwh09zDCr1NehdzAi82AXBSBS9sEI'
                  Source: MicrosoftService.exe, Nbxlff2Lt3zZpU.csHigh entropy of concatenated method names: 'OrC7PZwY1APpJH', 'W8XPEWFEYGPWHb', 'SYkGup6D1NhdJO', 'rGTT9d1gC76Vo3', 'OtXJKvYGO951iJ', 'untZRk37pT8liT', 'cOUII636KVdZHt', 'SDMs224V8KqS5D', '_3vEK7JapFhB12l', 'C4N2zGL7l0PCx6'
                  Source: C:\Users\user\Desktop\MicrosoftService.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft ServiceJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft ServiceJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Check if machine is in data center or colocation facility
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\MicrosoftService.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: MicrosoftService.exeBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\MicrosoftService.exeMemory allocated: 890000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeMemory allocated: 1A710000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\MicrosoftService.exeWindow / User API: threadDelayed 5584Jump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeWindow / User API: threadDelayed 4267Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3348Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6408Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7046Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2519Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6741Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2818Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8368
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1170
                  Source: C:\Users\user\Desktop\MicrosoftService.exe TID: 5692Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2672Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1272Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2676Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5652Thread sleep time: -4611686018427385s >= -30000s
                  Source: C:\Users\user\Desktop\MicrosoftService.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                  Source: C:\Users\user\Desktop\MicrosoftService.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: MicrosoftService.exeBinary or memory string: vmware
                  Source: MicrosoftService.exe, 00000000.00000002.3274661638.000000001B560000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                  Source: C:\Users\user\Desktop\MicrosoftService.exeCode function: 0_2_00007FF848F173F0 CheckRemoteDebuggerPresent,0_2_00007FF848F173F0
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\MicrosoftService.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftService.exe'
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Service Host: Microsoft Service.exe'
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftService.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Service Host: Microsoft Service.exe'Jump to behavior
                  Bypasses PowerShell execution policy
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftService.exe'
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftService.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftService.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Service Host: Microsoft Service.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess ' Microsoft Service.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeQueries volume information: C:\Users\user\Desktop\MicrosoftService.exe VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                  Source: C:\Users\user\Desktop\MicrosoftService.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: C:\Users\user\Desktop\MicrosoftService.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected XWorm
                  Source: Yara matchFile source: MicrosoftService.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.MicrosoftService.exe.330000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1987205616.0000000000332000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.3238237708.000000000275A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.3238237708.0000000002711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: MicrosoftService.exe PID: 4612, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected XWorm
                  Source: Yara matchFile source: MicrosoftService.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.MicrosoftService.exe.330000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1987205616.0000000000332000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.3238237708.000000000275A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.3238237708.0000000002711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: MicrosoftService.exe PID: 4612, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                  Windows Management Instrumentation                  		1
                  Registry Run Keys / Startup Folder                  		11
                  Process Injection                  		11
                  Disable or Modify Tools                  		OS Credential Dumping431
                  Security Software Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  PowerShell                  		1
                  DLL Side-Loading                  		1
                  Registry Run Keys / Startup Folder                  		151
                  Virtualization/Sandbox Evasion                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  DLL Side-Loading                  		11
                  Process Injection                  		Security Account Manager151
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Ingress Tool Transfer                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Deobfuscate/Decode Files or Information                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                  Obfuscated Files or Information                  		LSA Secrets1
                  System Network Configuration Discovery                  		SSHKeylogging12
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                  Software Packing                  		Cached Domain Credentials1
                  File and Directory Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  DLL Side-Loading                  		DCSync23
                  System Information Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465855 Sample: MicrosoftService.exe Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 29 ip-api.com 2->29 31 18.31.95.13.in-addr.arpa 2->31 37 Snort IDS alert for network traffic 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 13 other signatures 2->43 8 MicrosoftService.exe 15 4 2->8         started        signatures3 process4 dnsIp5 33 ip-api.com 208.95.112.1, 49704, 80 TUT-ASUS United States 8->33 35 89.213.177.81, 59133, 7000 EDGEtaGCIComGB United Kingdom 8->35 45 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->45 47 Protects its processes via BreakOnTermination flag 8->47 49 Bypasses PowerShell execution policy 8->49 51 2 other signatures 8->51 12 powershell.exe 23 8->12         started        15 powershell.exe 23 8->15         started        17 powershell.exe 21 8->17         started        19 powershell.exe 8->19         started        signatures6 process7 signatures8 53 Loading BitLocker PowerShell Module 12->53 21 conhost.exe 12->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        process9

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  MicrosoftService.exe65%VirustotalBrowse
                  MicrosoftService.exe100%AviraTR/Spy.Gen
                  MicrosoftService.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  ip-api.com0%VirustotalBrowse
                  18.31.95.13.in-addr.arpa1%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://nuget.org/NuGet.exe0%URL Reputationsafe
                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                  http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                  http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
                  http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
                  http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                  https://contoso.com/0%URL Reputationsafe
                  https://nuget.org/nuget.exe0%URL Reputationsafe
                  https://contoso.com/License0%URL Reputationsafe
                  https://contoso.com/Icon0%URL Reputationsafe
                  https://aka.ms/pscore680%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                  http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt00%Avira URL Cloudsafe
                  http://www.t.com/pk0%Avira URL Cloudsafe
                  89.213.177.810%Avira URL Cloudsafe
                  http://www.microsoft.co0%Avira URL Cloudsafe
                  http://crl.mic0%Avira URL Cloudsafe
                  http://crl.micft.cMicRosof0%Avira URL Cloudsafe
                  https://github.com/Pester/Pester0%Avira URL Cloudsafe
                  http://crl.micros0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  ip-api.com
                  		208.95.112.1
                  		truetrueunknown
                  18.31.95.13.in-addr.arpa
                  		unknown
                  		unknownfalseunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  89.213.177.81true
                  • Avira URL Cloud: safe
                  		unknown
                  http://ip-api.com/line/?fields=hostingfalse
                  • URL Reputation: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt0powershell.exe, 00000002.00000002.2089582976.000002061FE38000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2080152137.0000020617732000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2171858450.0000029515BA2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2322557886.000001E6E5FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2515625827.000001A89EDF0000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.t.com/pkpowershell.exe, 0000000A.00000002.2548301136.000001A8A74CC000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000A.00000002.2384593841.000001A88EFAA000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2064238466.00000206078E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2116445137.0000029505D5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2224681212.000001E6D618A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2384593841.000001A88EFAA000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000A.00000002.2384593841.000001A88EFAA000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2064238466.00000206078E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2116445137.0000029505D5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2224681212.000001E6D618A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2384593841.000001A88EFAA000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/powershell.exe, 0000000A.00000002.2515625827.000001A89EDF0000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2080152137.0000020617732000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2171858450.0000029515BA2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2322557886.000001E6E5FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2515625827.000001A89EDF0000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.microsoft.copowershell.exe, 00000005.00000002.2184516749.000002951DFFF000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 0000000A.00000002.2515625827.000001A89EDF0000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://crl.micpowershell.exe, 00000008.00000002.2346795935.000001E6EE6E0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 0000000A.00000002.2515625827.000001A89EDF0000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://crl.micft.cMicRosofpowershell.exe, 00000008.00000002.2346795935.000001E6EE6E0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://aka.ms/pscore68powershell.exe, 00000002.00000002.2064238466.00000206076C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2116445137.0000029505B31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2224681212.000001E6D5F61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2384593841.000001A88ED81000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMicrosoftService.exe, 00000000.00000002.3238237708.0000000002711000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2064238466.00000206076C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2116445137.0000029505B31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2224681212.000001E6D5F61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2384593841.000001A88ED81000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/Pester/Pesterpowershell.exe, 0000000A.00000002.2384593841.000001A88EFAA000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crl.microspowershell.exe, 00000008.00000002.2346613543.000001E6EE5C0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  208.95.112.1
                  		ip-api.comUnited States
                  		53334TUT-ASUStrue
                  89.213.177.81
                  		unknownUnited Kingdom
                  		8851EDGEtaGCIComGBtrue

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1465855
                  Start date and time:2024-07-02 07:36:06 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 5m 35s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:14
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:MicrosoftService.exe
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@13/18@2/2
                  EGA Information:Failed
                  HCA Information:
                  • Successful, ratio: 99%
                  • Number of executed functions: 50
                  • Number of non-executed functions: 5
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtCreateKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  01:36:57API Interceptor53x Sleep call for process: powershell.exe modified
                  01:37:49API Interceptor255923x Sleep call for process: MicrosoftService.exe modified
                  07:37:54AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Service C:\ProgramData\Service Host: Microsoft Service.exe
                  07:38:02AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Service C:\ProgramData\Service Host: Microsoft Service.exe

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  208.95.112.1F.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                  • ip-api.com/line/?fields=hosting
                  x.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                  • ip-api.com/line/?fields=hosting
                  java_update.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                  • ip-api.com/line/?fields=hosting
                  Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                  • ip-api.com/json/
                  x433.exeGet hashmaliciousXWormBrowse
                  • ip-api.com/line/?fields=hosting
                  DriverUpdt.exeGet hashmaliciousXWormBrowse
                  • ip-api.com/line/?fields=hosting
                  rinvoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • ip-api.com/line/?fields=hosting
                  rQuotation.exeGet hashmaliciousAgentTeslaBrowse
                  • ip-api.com/line/?fields=hosting
                  8f5WsFcnTc.exeGet hashmaliciousAgentTeslaBrowse
                  • ip-api.com/line/?fields=hosting
                  ZkqNrYh5cV.exeGet hashmaliciousAgentTeslaBrowse
                  • ip-api.com/line/?fields=hosting

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  ip-api.comF.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                  • 208.95.112.1
                  x.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                  • 208.95.112.1
                  java_update.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                  • 208.95.112.1
                  Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                  • 208.95.112.1
                  x433.exeGet hashmaliciousXWormBrowse
                  • 208.95.112.1
                  DriverUpdt.exeGet hashmaliciousXWormBrowse
                  • 208.95.112.1
                  rinvoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 208.95.112.1
                  rQuotation.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  8f5WsFcnTc.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  ZkqNrYh5cV.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  EDGEtaGCIComGBf6RyWmGZLw.elfGet hashmaliciousUnknownBrowse
                  • 217.144.153.241
                  c5018a3915e8a9de41e083f7936c2d232b9a73ba41c8c07fb7b2d90d5f5d8e8e_dump.exeGet hashmaliciousSystemBCBrowse
                  • 185.20.35.63
                  https://nom9er.gouwo.eu/Get hashmaliciousUnknownBrowse
                  • 212.38.95.10
                  Pb0GaINSjK.elfGet hashmaliciousMiraiBrowse
                  • 77.107.107.199
                  t4p0nt07.x86.elfGet hashmaliciousMiraiBrowse
                  • 217.144.153.219
                  https://erzincanaktastaksi.com/20/w2_2023_Up.zipGet hashmaliciousXWormBrowse
                  • 185.49.126.37
                  https://cdn1.filehaus.su/files/6634f9beb74d4.txtGet hashmaliciousUnknownBrowse
                  • 89.213.174.100
                  https://cdn1.filehaus.su/files/6634f9beb74d4.txtGet hashmaliciousUnknownBrowse
                  • 89.213.174.100
                  rfB3bYVoxB.elfGet hashmaliciousMiraiBrowse
                  • 89.213.248.27
                  x2tgARMXmA.elfGet hashmaliciousMirai, GafgytBrowse
                  • 217.144.153.212
                  TUT-ASUSF.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                  • 208.95.112.1
                  x.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                  • 208.95.112.1
                  java_update.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                  • 208.95.112.1
                  Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                  • 208.95.112.1
                  x433.exeGet hashmaliciousXWormBrowse
                  • 208.95.112.1
                  DriverUpdt.exeGet hashmaliciousXWormBrowse
                  • 208.95.112.1
                  rinvoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 208.95.112.1
                  rQuotation.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  8f5WsFcnTc.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  ZkqNrYh5cV.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:modified
                  Size (bytes):64
                  Entropy (8bit):0.34726597513537405
                  Encrypted:false
                  SSDEEP:3:Nlll:Nll
                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                  Malicious:false
                  Reputation:high, very likely benign file
                  Preview:@...e...........................................................

                  C:\Users\user\AppData\Local\Temp\Log.tmp

                  Download File
                  Process:C:\Users\user\Desktop\MicrosoftService.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):35
                  Entropy (8bit):3.7071562309216133
                  Encrypted:false
                  SSDEEP:3:rRSFYJKXzovNsr4rn:EFYJKDoWrcn
                  MD5:BFABEC865892A34F532FABF984F7E156
                  SHA1:3C8292E49FEFD3DA96DBC289B36C4C710B0127E3
                  SHA-256:8C8E36E0088165B6606F75DF86D53D3527FD36518C5AAB07425969B066FEEEC6
                  SHA-512:CA042E157B8C0E728991567016DF2036D8E6E4311CC74E7DB8AB6335AC20C02BD8099F3248E82B8DB5C26A7C6B687D1D7A440EC77D55B3BAE42D3753DBD63129
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview:....### explorer ###..[WIN]r[WIN]r

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0o2bzl5m.vov.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1lodb341.rb0.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1yyzrnk4.4zs.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ig5oaov.0rq.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5fazmfqr.43u.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5jiipbik.fwv.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hurbfl5u.scc.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iw5qpwhw.izu.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ja3zh3gf.t2o.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k03y04uj.vgq.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kb1atu2k.e1k.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mgjozxag.4j1.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t1uusbpa.maf.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wu11mzd1.5ow.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yjv0uqg0.5am.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ylddzywl.her.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):6.320238540220299
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  • Win32 Executable (generic) a (10002005/4) 49.78%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  • DOS Executable Generic (2002/1) 0.01%
                  File name:MicrosoftService.exe
                  File size:203'776 bytes
                  MD5:01fd03e1f9ddbeee002267238428ac26
                  SHA1:a3832b5be0fb96431c231e605b88a3c3776d4207
                  SHA256:d6573c5df0eb1cc96116089788e3cc17f647046f4806d10ac2d6a430c553bd15
                  SHA512:acb062488b443ef34e1093b3a12c1cd1c62131c22bae5947d2338e9efe20d2acf89dfa1af01c70ec1f47cc75d93cd61766664cc6ec46497183af4ff58e5801cd
                  SSDEEP:3072:sLHiNUtXboS+M2A7OPB6aUFRUGKXs+S++7KFSbxeY+qDDrMP:OrXbH+rYJAGqStKEbxI
                  TLSH:B5147E2C6FCA749BE4791EB55CA6B6D10B3CEFA2B492529D30E46E3DB352474C500BE0
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=}f.............................9... ...@....@.. .......................`............@................................

                  File Icon

                  Icon Hash:170105b232472f1f

                  Static PE Info

                  General

                  Entrypoint:0x41392e
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0x667D3D1F [Thu Jun 27 10:21:19 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x138e00x4b.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000x1fd72.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x340000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000x119340x11a00a9d44f78621388a542b47efce46cff8eFalse0.5896913785460993data5.960418187434536IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rsrc0x140000x1fd720x1fe00402e225894d706ae389f6b60478fd05eFalse0.43596813725490197data6.174219221281167IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x340000xc0x200cc09c0673b2fa483a71373b74e2e853cFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_ICON0x142200x7198PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9990027510316368
                  RT_ICON0x1b3b80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 655360.21535253756062936
                  RT_ICON0x2bbe00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 163840.3363249881908361
                  RT_ICON0x2fe080x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.4050829875518672
                  RT_ICON0x323b00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.5145403377110694
                  RT_ICON0x334580x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.7411347517730497
                  RT_GROUP_ICON0x338c00x5adata0.7333333333333333
                  RT_VERSION0x3391c0x26cdata0.4596774193548387
                  RT_MANIFEST0x33b880x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  07/02/24-07:38:56.500378TCP2852923ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)591337000192.168.2.589.213.177.81
                  07/02/24-07:38:51.102958TCP2852874ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M270005913389.213.177.81192.168.2.5
                  07/02/24-07:39:03.281373TCP2852870ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes70005913389.213.177.81192.168.2.5
                  07/02/24-07:38:17.184940TCP2855924ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound591337000192.168.2.589.213.177.81

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 2, 2024 07:36:56.063679934 CEST4970480192.168.2.5208.95.112.1
                  Jul 2, 2024 07:36:56.068722010 CEST8049704208.95.112.1192.168.2.5
                  Jul 2, 2024 07:36:56.068826914 CEST4970480192.168.2.5208.95.112.1
                  Jul 2, 2024 07:36:56.069516897 CEST4970480192.168.2.5208.95.112.1
                  Jul 2, 2024 07:36:56.075515032 CEST8049704208.95.112.1192.168.2.5
                  Jul 2, 2024 07:36:56.556211948 CEST8049704208.95.112.1192.168.2.5
                  Jul 2, 2024 07:36:56.606039047 CEST4970480192.168.2.5208.95.112.1
                  Jul 2, 2024 07:37:50.397430897 CEST591337000192.168.2.589.213.177.81
                  Jul 2, 2024 07:37:50.402441025 CEST70005913389.213.177.81192.168.2.5
                  Jul 2, 2024 07:37:50.402554989 CEST591337000192.168.2.589.213.177.81
                  Jul 2, 2024 07:37:50.446923018 CEST591337000192.168.2.589.213.177.81
                  Jul 2, 2024 07:37:50.452398062 CEST70005913389.213.177.81192.168.2.5
                  Jul 2, 2024 07:38:03.812011003 CEST591337000192.168.2.589.213.177.81
                  Jul 2, 2024 07:38:03.817169905 CEST70005913389.213.177.81192.168.2.5
                  Jul 2, 2024 07:38:04.172270060 CEST70005913389.213.177.81192.168.2.5
                  Jul 2, 2024 07:38:04.196841955 CEST591337000192.168.2.589.213.177.81
                  Jul 2, 2024 07:38:04.201798916 CEST70005913389.213.177.81192.168.2.5
                  Jul 2, 2024 07:38:11.602752924 CEST8049704208.95.112.1192.168.2.5
                  Jul 2, 2024 07:38:11.602870941 CEST4970480192.168.2.5208.95.112.1
                  Jul 2, 2024 07:38:17.184940100 CEST591337000192.168.2.589.213.177.81
                  Jul 2, 2024 07:38:17.192471027 CEST70005913389.213.177.81192.168.2.5
                  Jul 2, 2024 07:38:17.555471897 CEST70005913389.213.177.81192.168.2.5
                  Jul 2, 2024 07:38:17.557288885 CEST591337000192.168.2.589.213.177.81
                  Jul 2, 2024 07:38:17.562088966 CEST70005913389.213.177.81192.168.2.5
                  Jul 2, 2024 07:38:20.114825010 CEST70005913389.213.177.81192.168.2.5
                  Jul 2, 2024 07:38:20.168556929 CEST591337000192.168.2.589.213.177.81
                  Jul 2, 2024 07:38:30.559640884 CEST591337000192.168.2.589.213.177.81
                  Jul 2, 2024 07:38:30.564450026 CEST70005913389.213.177.81192.168.2.5
                  Jul 2, 2024 07:38:31.187294006 CEST70005913389.213.177.81192.168.2.5
                  Jul 2, 2024 07:38:31.188921928 CEST591337000192.168.2.589.213.177.81
                  Jul 2, 2024 07:38:31.193872929 CEST70005913389.213.177.81192.168.2.5
                  Jul 2, 2024 07:38:36.560456038 CEST4970480192.168.2.5208.95.112.1
                  Jul 2, 2024 07:38:36.565201044 CEST8049704208.95.112.1192.168.2.5
                  Jul 2, 2024 07:38:43.934483051 CEST591337000192.168.2.589.213.177.81
                  Jul 2, 2024 07:38:43.939560890 CEST70005913389.213.177.81192.168.2.5
                  Jul 2, 2024 07:38:44.292294025 CEST70005913389.213.177.81192.168.2.5
                  Jul 2, 2024 07:38:44.294702053 CEST591337000192.168.2.589.213.177.81
                  Jul 2, 2024 07:38:44.299442053 CEST70005913389.213.177.81192.168.2.5
                  Jul 2, 2024 07:38:51.098965883 CEST70005913389.213.177.81192.168.2.5
                  Jul 2, 2024 07:38:51.101983070 CEST70005913389.213.177.81192.168.2.5
                  Jul 2, 2024 07:38:51.102061987 CEST591337000192.168.2.589.213.177.81
                  Jul 2, 2024 07:38:51.102874041 CEST70005913389.213.177.81192.168.2.5
                  Jul 2, 2024 07:38:51.102916002 CEST591337000192.168.2.589.213.177.81
                  Jul 2, 2024 07:38:51.102957964 CEST70005913389.213.177.81192.168.2.5
                  Jul 2, 2024 07:38:51.102999926 CEST591337000192.168.2.589.213.177.81
                  Jul 2, 2024 07:38:56.140837908 CEST591337000192.168.2.589.213.177.81
                  Jul 2, 2024 07:38:56.145574093 CEST70005913389.213.177.81192.168.2.5
                  Jul 2, 2024 07:38:56.498641014 CEST70005913389.213.177.81192.168.2.5
                  Jul 2, 2024 07:38:56.500377893 CEST591337000192.168.2.589.213.177.81
                  Jul 2, 2024 07:38:56.505129099 CEST70005913389.213.177.81192.168.2.5
                  Jul 2, 2024 07:39:02.153470039 CEST591337000192.168.2.589.213.177.81
                  Jul 2, 2024 07:39:02.158308029 CEST70005913389.213.177.81192.168.2.5
                  Jul 2, 2024 07:39:03.281373024 CEST70005913389.213.177.81192.168.2.5
                  Jul 2, 2024 07:39:03.324776888 CEST591337000192.168.2.589.213.177.81

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 2, 2024 07:36:56.050391912 CEST5731453192.168.2.51.1.1.1
                  Jul 2, 2024 07:36:56.057693958 CEST53573141.1.1.1192.168.2.5
                  Jul 2, 2024 07:37:26.496006012 CEST5362368162.159.36.2192.168.2.5
                  Jul 2, 2024 07:37:27.005846024 CEST5383553192.168.2.51.1.1.1
                  Jul 2, 2024 07:37:27.013869047 CEST53538351.1.1.1192.168.2.5

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Jul 2, 2024 07:36:56.050391912 CEST192.168.2.51.1.1.10xaad2Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                  Jul 2, 2024 07:37:27.005846024 CEST192.168.2.51.1.1.10xa35aStandard query (0)18.31.95.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Jul 2, 2024 07:36:56.057693958 CEST1.1.1.1192.168.2.50xaad2No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                  Jul 2, 2024 07:37:27.013869047 CEST1.1.1.1192.168.2.50xa35aName error (3)18.31.95.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • ip-api.com

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.549704208.95.112.1804612C:\Users\user\Desktop\MicrosoftService.exe
                  TimestampBytes transferredDirectionData
                  Jul 2, 2024 07:36:56.069516897 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                  Host: ip-api.com
                  Connection: Keep-Alive
                  Jul 2, 2024 07:36:56.556211948 CEST175INHTTP/1.1 200 OK
                  Date: Tue, 02 Jul 2024 05:36:56 GMT
                  Content-Type: text/plain; charset=utf-8
                  Content-Length: 6
                  Access-Control-Allow-Origin: *
                  X-Ttl: 60
                  X-Rl: 44
                  Data Raw: 66 61 6c 73 65 0a
                  Data Ascii: false


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:01:36:51
                  Start date:02/07/2024
                  Path:C:\Users\user\Desktop\MicrosoftService.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Users\user\Desktop\MicrosoftService.exe"
                  Imagebase:0x330000
                  File size:203'776 bytes
                  MD5 hash:01FD03E1F9DDBEEE002267238428AC26
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1987205616.0000000000332000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1987205616.0000000000332000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3238237708.000000000275A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3238237708.0000000002711000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:false

                  General

                  Target ID:2
                  Start time:01:36:55
                  Start date:02/07/2024
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftService.exe'
                  Imagebase:0x7ff7be880000
                  File size:452'608 bytes
                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:3
                  Start time:01:36:55
                  Start date:02/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6d64d0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:5
                  Start time:01:37:02
                  Start date:02/07/2024
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftService.exe'
                  Imagebase:0x7ff7be880000
                  File size:452'608 bytes
                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:6
                  Start time:01:37:02
                  Start date:02/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6d64d0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:8
                  Start time:01:37:12
                  Start date:02/07/2024
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Service Host: Microsoft Service.exe'
                  Imagebase:0x7ff7be880000
                  File size:452'608 bytes
                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:9
                  Start time:01:37:12
                  Start date:02/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6d64d0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:10
                  Start time:01:37:29
                  Start date:02/07/2024
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess ' Microsoft Service.exe'
                  Imagebase:0x7ff7be880000
                  File size:452'608 bytes
                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:11
                  Start time:01:37:29
                  Start date:02/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6d64d0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Disassembly

                  Reset < >

                    Executed Functions

                    Function 00007FF848F1AB58 Relevance: 2.4, Strings: 1, Instructions: 1174COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3284004398.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID: 0-3916222277
                    • Opcode ID: 1626973d0b9b31dcc4809de9dbaa6e9e32faf077dbe1f1fd89f2525e612d9dc0
                    • Instruction ID: b2cd1e09e200bf5d436a47be4b22fba8f02c57e45726ee34790a91b9a270c76b
                    • Opcode Fuzzy Hash: 1626973d0b9b31dcc4809de9dbaa6e9e32faf077dbe1f1fd89f2525e612d9dc0
                    • Instruction Fuzzy Hash: 4A824A30F5D91A4FEA98FB38845667A72D2EF98390F544579E80ED32C6DF38AC428744
                    Function 00007FF848F173F0 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.3284004398.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                    Similarity
                    • API ID: CheckDebuggerPresentRemote
                    • String ID:
                    • API String ID: 3662101638-0
                    • Opcode ID: 1fda6d96cadf7912232c04d8ee17ab750652733501e6119b99186a2b31c63642
                    • Instruction ID: 376af35c6bac7464fa2c47a18ae40eb51d841cc7c5d174db7b459d3a2b9b4619
                    • Opcode Fuzzy Hash: 1fda6d96cadf7912232c04d8ee17ab750652733501e6119b99186a2b31c63642
                    • Instruction Fuzzy Hash: 0C414831C0CA598FDB55DF6888496E9BFF0FF66311F04426BC489D71C2CB24A856C791
                    Function 00007FF848F11719 Relevance: .7, Instructions: 718COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.3284004398.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2b099f258351daa7809f2fbcb525a95815b655ba2a4d06d8ee42a0904a061d3d
                    • Instruction ID: cb7fd93916e49b024bd51957ff384e5dd42443d783a3a01e5bc60c2974c0aeef
                    • Opcode Fuzzy Hash: 2b099f258351daa7809f2fbcb525a95815b655ba2a4d06d8ee42a0904a061d3d
                    • Instruction Fuzzy Hash: 2E221431A1DA495FE798FB3894596BA7BE2FF88790F440579E40EC32C2DF28AC418745
                    Function 00007FF848F11290 Relevance: .6, Instructions: 606COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.3284004398.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0ef216cb8200fdb351b86bb7b269071b63243cc84848a0a9c6620b239b5d2f07
                    • Instruction ID: 703c8148d27baf42754b7c64a10e053f9f1d96c18b1baaccb7b4da3a8f41dd91
                    • Opcode Fuzzy Hash: 0ef216cb8200fdb351b86bb7b269071b63243cc84848a0a9c6620b239b5d2f07
                    • Instruction Fuzzy Hash: E812AE70A2DA5A5FE798FB38945927A76E2FF88780F440579E40EC32C6DF28AC418745
                    Function 00007FF848F15EE6 Relevance: .5, Instructions: 467COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.3284004398.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1a8462ca93d5e43ad7a66d084f83287f951535652c1c9b123dc21d2270830cbc
                    • Instruction ID: 7fd03296374a5cf65e8a6a6b12077cbae12ab4c930a41546acd52d61af5490d9
                    • Opcode Fuzzy Hash: 1a8462ca93d5e43ad7a66d084f83287f951535652c1c9b123dc21d2270830cbc
                    • Instruction Fuzzy Hash: 04F1813091CA8D8FEBA8EF28C8557E977E1FF54351F04426EE84DC7295CB38A9458B81
                    Function 00007FF848F16C92 Relevance: .4, Instructions: 450COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.3284004398.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ec5116c0e701af115f2908390ba8232a5ea36668373af2f2b781174d2cd6daf7
                    • Instruction ID: 3aff842f097762d777f6282a6abce33cd05a9b2dc41608a2bc438f6b46679e07
                    • Opcode Fuzzy Hash: ec5116c0e701af115f2908390ba8232a5ea36668373af2f2b781174d2cd6daf7
                    • Instruction Fuzzy Hash: 74E1A13091CA8E8FEBA8EF28C8557E977E1EF54350F14426EE80DC7295DF7898408B85
                    Function 00007FF848F121B1 Relevance: .4, Instructions: 390COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.3284004398.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 41f091cc10c5149bf554c570076b819cb50d5f124447f77b23a9808e576a85bd
                    • Instruction ID: 088fc9534d99920e04ccf25295e4c44f3e23a6db0d92c20364a766075a14ac5f
                    • Opcode Fuzzy Hash: 41f091cc10c5149bf554c570076b819cb50d5f124447f77b23a9808e576a85bd
                    • Instruction Fuzzy Hash: D9C17E71B1D94A4FEB88FBA884A527976D2FF98780F04057AD04EC32D2DF38AC428745
                    Function 00007FF848F19650 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 193COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3284004398.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                    Similarity
                    • API ID: CriticalProcess
                    • String ID: H
                    • API String ID: 2695349919-2852464175
                    • Opcode ID: 988c21a9ff362cbb122e3ecaea96f167ce9915257da24b294954c0908c7d9c0f
                    • Instruction ID: a4861614cbae910230d12cd25e9fb00032e17799685c2860da5e89ec370b8095
                    • Opcode Fuzzy Hash: 988c21a9ff362cbb122e3ecaea96f167ce9915257da24b294954c0908c7d9c0f
                    • Instruction Fuzzy Hash: D751383290DA894FE716EB6C98196E97FE0FF52351F0800BFD089C75C3DA24584687A1
                    Function 00007FF848F19BE8 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.3284004398.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                    Similarity
                    • API ID: HookWindows
                    • String ID:
                    • API String ID: 2559412058-0
                    • Opcode ID: 466540534e8a97964c4db6fc3262f8c87e5386b445aa8d9c9f8d66f0e2d8872b
                    • Instruction ID: 3e6e2b1596082dc90eb84dd6d29c20eaff3c3b293b43a93e94ac183882ebb8e7
                    • Opcode Fuzzy Hash: 466540534e8a97964c4db6fc3262f8c87e5386b445aa8d9c9f8d66f0e2d8872b
                    • Instruction Fuzzy Hash: 9C412B30A1CA4D4FDB58EB6C98466F9BBE1EF55321F04023ED049C3692CF656852C7C1
                    Function 00007FF848F178A1 Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.3284004398.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                    Similarity
                    • API ID: CheckDebuggerPresentRemote
                    • String ID:
                    • API String ID: 3662101638-0
                    • Opcode ID: c16e5f4275e40fa26a1045a292f91c9fccedac50271159704bf3befdc4aa905d
                    • Instruction ID: 02861a07943080731e56e532fca42b32ca47d587ac34c87071bfbd8d3f15aee3
                    • Opcode Fuzzy Hash: c16e5f4275e40fa26a1045a292f91c9fccedac50271159704bf3befdc4aa905d
                    • Instruction Fuzzy Hash: 5B31F2319097588FCB58DF58C88A7EA7BF0FF65311F05426BD489D7282CB34A845CB91

                    Executed Functions

                    Function 00007FF849016605 Relevance: 6.7, Strings: 5, Instructions: 445COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.2091200536.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: (B&I$(B&I$(B&I$(B&I$(B&I
                    • API String ID: 0-1750599480
                    • Opcode ID: de9b349692efc7742ce0eaf0846e3c3e607ab081617e024c718cfd283535f58b
                    • Instruction ID: 8f44d6d8acc8c15bd87a1a0a738b6736d34c4bdbb25fec69cdd8cf6996a6cbaa
                    • Opcode Fuzzy Hash: de9b349692efc7742ce0eaf0846e3c3e607ab081617e024c718cfd283535f58b
                    • Instruction Fuzzy Hash: C7D14332D0EAC99FEB65AF2858165B5BBA0EF06794F0801FBD04CC7193EA1AEC45C351
                    Function 00007FF849014073 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.2091200536.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: 8>&I
                    • API String ID: 0-4142972376
                    • Opcode ID: bd3639380a2c727c61c885d2af391767f47fbc3b072100a51125fd349c0a0f4b
                    • Instruction ID: d8d2eaacafca3da93b08a4ebe6bf6c84e007e29ec1c29d6f750015a3bf30ebf0
                    • Opcode Fuzzy Hash: bd3639380a2c727c61c885d2af391767f47fbc3b072100a51125fd349c0a0f4b
                    • Instruction Fuzzy Hash: 59511C32E0DA8A8FEBA9EE2C541267577E1EF55360F5801BEC14DC72A3EE25EC058351
                    Function 00007FF8490140BF Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.2091200536.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: 8>&I
                    • API String ID: 0-4142972376
                    • Opcode ID: 5e2f97608893231ce46e844fdeb8657996b8c80aa1cea2f9624c4688d8d5230d
                    • Instruction ID: 235ffcf855f60173f3d59113e732218f31fbddad59e0a2ae01acb43bc57ed614
                    • Opcode Fuzzy Hash: 5e2f97608893231ce46e844fdeb8657996b8c80aa1cea2f9624c4688d8d5230d
                    • Instruction Fuzzy Hash: 6B21D232E0D9C78FEBB9EF2C546217476D5EF64290B5901BAC05DC71B2EE29DC058341
                    Function 00007FF848F4B238 Relevance: .3, Instructions: 316COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2090861892.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ff9464be5043121fbf8ca892ca52265e4a3679097141e9cda23cd2468aae158a
                    • Instruction ID: 7b56b182038e94a37dc26b8207c48c2517268d2649dfa54f04cc9231f2d195b9
                    • Opcode Fuzzy Hash: ff9464be5043121fbf8ca892ca52265e4a3679097141e9cda23cd2468aae158a
                    • Instruction Fuzzy Hash: B5914B3092CA898FE749EF58C8856B9BBE1FF65751F10017EC08AC31A7DA25E846CB51
                    Function 00007FF848F49EF2 Relevance: .2, Instructions: 250COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2090861892.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cf1cd5fbfae0b4127d7b9327aef7cd643e2f8da90709670f4b4d9d4be239f88c
                    • Instruction ID: 346a5ba1221a6256759ffac894e38c3fe12ec7dcbb4f4a170dc0209baa0df92b
                    • Opcode Fuzzy Hash: cf1cd5fbfae0b4127d7b9327aef7cd643e2f8da90709670f4b4d9d4be239f88c
                    • Instruction Fuzzy Hash: A38119B7D0D9C68FE706EB2CA8950D57760FF21B6DF0802BBC0888A0D3FE1659568746
                    Function 00007FF848F49FD3 Relevance: .2, Instructions: 159COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2090861892.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8b7bfec2021c76230da6d6113033b8377e26685171a441236a6c03c7fee4525e
                    • Instruction ID: 1624cad095f61b811521a4fa82c9e4ff69ed9bbcac5608f2157ba84a2f6e31e3
                    • Opcode Fuzzy Hash: 8b7bfec2021c76230da6d6113033b8377e26685171a441236a6c03c7fee4525e
                    • Instruction Fuzzy Hash: 1051B7B7D0DAC64FE716EB2CA8950D57B60FF21B99F1801BBC0489A0D3FB56188A8745
                    Function 00007FF848E2E380 Relevance: .1, Instructions: 126COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2090498973.00007FF848E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E2D000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7b9866fa1fa396feb984969da82abca888e74e14b754fb32ad30042fe869fca5
                    • Instruction ID: a3392986a7d8006a6a3878bc1d6a200af9ba26c98b5d1c7569969d059876c756
                    • Opcode Fuzzy Hash: 7b9866fa1fa396feb984969da82abca888e74e14b754fb32ad30042fe869fca5
                    • Instruction Fuzzy Hash: 0B41027180DBC58FE75A9B38A8459923FB0FF52365F1505EFD088CB1A3D729A806C792
                    Function 00007FF848F49768 Relevance: .1, Instructions: 125COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2090861892.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 237cf417b4628c207f11b8a2a2087a6b618bebe5d72048301459324674eefd8e
                    • Instruction ID: 16666003329eb7ff78c453b4efbaf5ff4fc16c7bea26a54ac54ef06b9138366a
                    • Opcode Fuzzy Hash: 237cf417b4628c207f11b8a2a2087a6b618bebe5d72048301459324674eefd8e
                    • Instruction Fuzzy Hash: 1D310C31A1CB485FDB18DF1CA80A6E97BE0FBA9710F10422FE449D3651DB31A8568BC2
                    Function 00007FF848F433B5 Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2090861892.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                    • Instruction ID: 8501ce2366aa47fe50c32cae5305b62a305da60d827aaf0f190e9b8a75457062
                    • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                    • Instruction Fuzzy Hash: 8B01447111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695DB26E882CB45
                    Function 00007FF8490143FA Relevance: .0, Instructions: 37COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2091200536.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 353ac20097b6f589914e4e6c34808a1369e6e40bb4fe1911e7ce96953db23c2f
                    • Instruction ID: bb50d7f3506dc65e537612623d1a409f9fecc91189a9756c986bd02ba1ffb60e
                    • Opcode Fuzzy Hash: 353ac20097b6f589914e4e6c34808a1369e6e40bb4fe1911e7ce96953db23c2f
                    • Instruction Fuzzy Hash: E7F09A31A0C5858FEB64EF5CA4458A8B7E0FF05360B4500B6E15DC70A3EB2AEC50C764

                    Non-executed Functions

                    Function 00007FF848F48995 Relevance: 5.1, Strings: 4, Instructions: 148COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.2090861892.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: K_^$K_^$K_^$K_^
                    • API String ID: 0-4267328068
                    • Opcode ID: 03256e3ebf46bdffa1f2c33cc636307ebde8452f006f45e4b03f137b228c0d9e
                    • Instruction ID: 48d8921c6bc7f614615616ac49e95734bb3777cbc8f618f086428b12a3ed8a5a
                    • Opcode Fuzzy Hash: 03256e3ebf46bdffa1f2c33cc636307ebde8452f006f45e4b03f137b228c0d9e
                    • Instruction Fuzzy Hash: E741B372D1EAC26FE746972858650D57FA0EF22A58F0D01FBC0C89F0D3EA9D540B9356
                    Function 00007FF848F48BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.2090861892.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: K_^4$K_^7$K_^F$K_^J
                    • API String ID: 0-377281160
                    • Opcode ID: 1337c1854dd59eb83ea9a8eb30e63dcf3290b25af5210be026440cbc330f0a7a
                    • Instruction ID: bead706383397ff6f8c4a37cb53810d507c8abccd64b99c06fffeb200d3c1acc
                    • Opcode Fuzzy Hash: 1337c1854dd59eb83ea9a8eb30e63dcf3290b25af5210be026440cbc330f0a7a
                    • Instruction Fuzzy Hash: 11213B7761A525AED7417B7CB8045DA3BA0DF982B8B4503B3D198CF053EA1C708786D4

                    Executed Functions

                    Function 00007FF848FF6605 Relevance: 6.7, Strings: 5, Instructions: 437COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.2193335015.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: (B#I$(B#I$(B#I$(B#I$(B#I
                    • API String ID: 0-1620291718
                    • Opcode ID: 6f9e4fed6c3996413a227024a2058500064108d040bed6b25d837b36102ae2ac
                    • Instruction ID: 261fdd3cb74c87e303f50bb88cda7d0cbdbc206ec24d0a77b7482dc805309749
                    • Opcode Fuzzy Hash: 6f9e4fed6c3996413a227024a2058500064108d040bed6b25d837b36102ae2ac
                    • Instruction Fuzzy Hash: E5D13032D0EA8A5FE795AB2858145B5BBA0EF1A390F1801FFD54DCB1D3EE1CA805C355
                    Function 00007FF848FF4073 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.2193335015.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: 8>#I
                    • API String ID: 0-2340899229
                    • Opcode ID: e91d52588572478d0c904d13e2c3aac54a56f09ce5819d3f7a5d2634b82c3ffe
                    • Instruction ID: 5898b985a238f5c4c6f79266077de4036e9d44d016ffc3ffed1a936dde447c7c
                    • Opcode Fuzzy Hash: e91d52588572478d0c904d13e2c3aac54a56f09ce5819d3f7a5d2634b82c3ffe
                    • Instruction Fuzzy Hash: 1F51D132A0DA4A4FE79AEB2C541167577E2FFA5260F5801BBD24EC72D3DF18E8058349
                    Function 00007FF848FF40BF Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.2193335015.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: 8>#I
                    • API String ID: 0-2340899229
                    • Opcode ID: 438e21698339d78d0fa338721273e1ebb6eb52c86a9311f6e9f0bfa0ab18c5f6
                    • Instruction ID: 4c4899a3a89e63f07b303e2d3b6a1858681216af9ab52aca89a05ffcac55f49c
                    • Opcode Fuzzy Hash: 438e21698339d78d0fa338721273e1ebb6eb52c86a9311f6e9f0bfa0ab18c5f6
                    • Instruction Fuzzy Hash: EE218D32E0E98B4FE7AAEB2C545117466D1FF742A0F5901BAD25DC72E2DF18EC048349
                    Function 00007FF848F2A0D3 Relevance: .3, Instructions: 271COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2192558505.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 086e6a5df169e63a56d6dbf36dba1afff545df6d6cc6ce232177d8df414c09a6
                    • Instruction ID: fa630dee160a7d5f50129f9323ecef9f1145b28ee948547b458f068fbfcb1fbe
                    • Opcode Fuzzy Hash: 086e6a5df169e63a56d6dbf36dba1afff545df6d6cc6ce232177d8df414c09a6
                    • Instruction Fuzzy Hash: BB213D2691E7C94FD743E77868650E87FB0EF53168B1901EBD488CF0A3DA0A5849C766
                    Function 00007FF848F29D38 Relevance: .2, Instructions: 233COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2192558505.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 85b6348a43072158439e42c8a50e230254acd6dcf53da5577e5982d227190bbc
                    • Instruction ID: 901b9045012291b0e270f9b0b785742e21bf18b5887ee2fa07a14efbd2a8f873
                    • Opcode Fuzzy Hash: 85b6348a43072158439e42c8a50e230254acd6dcf53da5577e5982d227190bbc
                    • Instruction Fuzzy Hash: 8F01A73190DA8D8FDB56EF2868195A87FE0FF65340F4401EBD488CB1A3DB21D954C781
                    Function 00007FF848F29780 Relevance: .1, Instructions: 129COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2192558505.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d0b42ffe05b201675d5203f8fabf39acb15f7680e0c7d8a52e263769c1dc7956
                    • Instruction ID: aef81da2cd72e1c56eb176a93e7616b510beed099cec7237853a9db128347b65
                    • Opcode Fuzzy Hash: d0b42ffe05b201675d5203f8fabf39acb15f7680e0c7d8a52e263769c1dc7956
                    • Instruction Fuzzy Hash: 6431093191CB888FDB199F1CAC066A97BF0FB59711F00426FE049C3692CA71A856CBC2
                    Function 00007FF848E0EC60 Relevance: .1, Instructions: 128COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2191853832.00007FF848E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E0D000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bd93f28f768cea9e8dfe94a9092c0645cde3eb5c08ff1cf5d2afdb845350299f
                    • Instruction ID: dfb6701a3bb6d9d24531b30050204e050b96a706d9deceda6080d194e35600c6
                    • Opcode Fuzzy Hash: bd93f28f768cea9e8dfe94a9092c0645cde3eb5c08ff1cf5d2afdb845350299f
                    • Instruction Fuzzy Hash: 5141253080DBC45FE7569B2998459523FF0FF57220F1906EFD088CB1A3D629A846C7A2
                    Function 00007FF848F2A64C Relevance: .1, Instructions: 99COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2192558505.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fd7f3282be149557847affacf5d1fc8b372422484665ef1e6633cb8db3d42027
                    • Instruction ID: 2abf5d15fb3ee7e10e15a125a14aaeb6b201cc4899efbd79d44f0f4cdcaee0de
                    • Opcode Fuzzy Hash: fd7f3282be149557847affacf5d1fc8b372422484665ef1e6633cb8db3d42027
                    • Instruction Fuzzy Hash: DC21063090CB8C8FEB59DBAC984A7E97FE0EB96320F04416BD048C3192DB749446CB92
                    Function 00007FF848F233B5 Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2192558505.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                    • Instruction ID: b81149d342438cc37704c2a90a5bc61e4b8c38b5d9d18ebcc6d248958a2491c8
                    • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                    • Instruction Fuzzy Hash: 6A01677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC36A5DB36E892CB46
                    Function 00007FF848FF43FA Relevance: .0, Instructions: 37COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2193335015.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 09c8ddb0d0395f124caddf9e20a8d3e69c7e005f12d8a7c3fbf299655f589b71
                    • Instruction ID: 7e1c3ae5898979a2193a2b7b82a81bbc69854c81746028a451958890e6b21308
                    • Opcode Fuzzy Hash: 09c8ddb0d0395f124caddf9e20a8d3e69c7e005f12d8a7c3fbf299655f589b71
                    • Instruction Fuzzy Hash: 41F09A31A0C5458FDB54EB5CA4448A8B7E0FF15360F4500B6E15DD71A3DB2AAC608764

                    Non-executed Functions

                    Function 00007FF848F28BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.2192558505.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                    • API String ID: 0-962139525
                    • Opcode ID: 63b5047cba73ab94ebcf28c082ddf486a212eb9717c7729175fddac6c1281f11
                    • Instruction ID: 7fd3566e5afb083c6e6401c0847751e720ad71e5f9896b647dd2248b4652e339
                    • Opcode Fuzzy Hash: 63b5047cba73ab94ebcf28c082ddf486a212eb9717c7729175fddac6c1281f11
                    • Instruction Fuzzy Hash: FD21D473A29525DAD242366CB8419DD7790EF543B978603F3E028CF193EE1CA48B8A95

                    Executed Functions

                    Function 00007FF848FD6605 Relevance: 6.7, Strings: 5, Instructions: 443COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000008.00000002.2354124089.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: (B"I$(B"I$(B"I$(B"I$(B"I
                    • API String ID: 0-3570690463
                    • Opcode ID: f38f1ad1d42d9f1750e390e7d5f1ec87ecf0cddec526fada3d2ee9b5e238c98f
                    • Instruction ID: 5f674c0e4a3ae478faa74d7633ca9396f20881672a143197a6c869321b741d58
                    • Opcode Fuzzy Hash: f38f1ad1d42d9f1750e390e7d5f1ec87ecf0cddec526fada3d2ee9b5e238c98f
                    • Instruction Fuzzy Hash: 9FD14131D0EA8A5FE795EB2858145B5BBE0EF16390F1801FAD14ECB1D3EB1CA8058796
                    Function 00007FF848FD4073 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000008.00000002.2354124089.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: 8>"I
                    • API String ID: 0-2459728092
                    • Opcode ID: 18b38e97fb938e4b27d654a81cd2a0631e8899e08cf9c00bacc7562cabe10eb6
                    • Instruction ID: 06df661b53c08b77f943f79c3a35435f660f74c9406829b524ca13c92fb2870f
                    • Opcode Fuzzy Hash: 18b38e97fb938e4b27d654a81cd2a0631e8899e08cf9c00bacc7562cabe10eb6
                    • Instruction Fuzzy Hash: 01512232E0DA4A4FE79AEB2C541167577E2FFA5260F5801BAC24EC72D2DF18EC058749
                    Function 00007FF848FD40BF Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000008.00000002.2354124089.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: 8>"I
                    • API String ID: 0-2459728092
                    • Opcode ID: 5b5f0fa55999077a44323c8e70d9283a6d5179880be97fa3ba471612bd39a9d8
                    • Instruction ID: 28a990d86d05f0901ce2532bee557edca40af8da2f17c588e940472cf5281d3e
                    • Opcode Fuzzy Hash: 5b5f0fa55999077a44323c8e70d9283a6d5179880be97fa3ba471612bd39a9d8
                    • Instruction Fuzzy Hash: 2821A032E0E98B4FE7AAEB2C545517466D1FF74290F5911BAC25EC72E2CF18EC048B49
                    Function 00007FF848F0A7FC Relevance: .2, Instructions: 216COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000008.00000002.2353144522.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2c23beba2855fef0fc139b94b54972e5726eab987c4e20d5006a49daf7b15da2
                    • Instruction ID: 94d52cf1461673f23762c532cb9bdc2492195134870f4e729a299c6258d675d6
                    • Opcode Fuzzy Hash: 2c23beba2855fef0fc139b94b54972e5726eab987c4e20d5006a49daf7b15da2
                    • Instruction Fuzzy Hash: 8751293160EBC54FE34AEB2898954A47FE0EF56358B1801FEC489CB293FE19A847C755
                    Function 00007FF848F09FF5 Relevance: .1, Instructions: 132COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000008.00000002.2353144522.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4ac4cfa6d8b4968ddb408da7edd78953257c21601e647d3e5af37b6ed15aa5a1
                    • Instruction ID: 80d4ccef13880b9b258635a9864d16ad64f76199df5fb04f15fc9b6e1bebdb7e
                    • Opcode Fuzzy Hash: 4ac4cfa6d8b4968ddb408da7edd78953257c21601e647d3e5af37b6ed15aa5a1
                    • Instruction Fuzzy Hash: 56413B77D0D9C64FD342BB2C98520F53BA0FF523A9F0901B7C0888A193FF18549A8799
                    Function 00007FF848DEEE20 Relevance: .1, Instructions: 127COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000008.00000002.2352079468.00007FF848DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DED000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f65cdc1441eaf927982c5dc84f0a3dfc8dcb9fe42668b9f7917218c113cd8fc3
                    • Instruction ID: 39d71c07c34ce77cb2db959e74c3c8c9d25ba1ef6b5c375874fb37b6ffed4068
                    • Opcode Fuzzy Hash: f65cdc1441eaf927982c5dc84f0a3dfc8dcb9fe42668b9f7917218c113cd8fc3
                    • Instruction Fuzzy Hash: 2841D47180EBC44FE7569B289845A623FF0EF56360F1505EFD088CB1A7D729A849C7A2
                    Function 00007FF848F09768 Relevance: .1, Instructions: 126COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000008.00000002.2353144522.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1d67bd3acf1ea96d3fa26cb7817fc9aaf66c8fe2ae70ff5e7b4e4263ea14008d
                    • Instruction ID: 270095dd57b9ea6447ce195f483ab913fbf46ea4b07fc88beaa7b27fc8e44c25
                    • Opcode Fuzzy Hash: 1d67bd3acf1ea96d3fa26cb7817fc9aaf66c8fe2ae70ff5e7b4e4263ea14008d
                    • Instruction Fuzzy Hash: 54310A3191CB489FDB189F5CAC0A6F97BE0FB99710F00422FE449D3652DB30A8568BC2
                    Function 00007FF848F0A52C Relevance: .1, Instructions: 89COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000008.00000002.2353144522.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 48fffaf0fde606acaeb44937c6dea16b74cd20e574ee66ba1f755519b13664f7
                    • Instruction ID: 741be09cd50496a61c4372d1483bd51f5bf0475956250f80438964e2f0751349
                    • Opcode Fuzzy Hash: 48fffaf0fde606acaeb44937c6dea16b74cd20e574ee66ba1f755519b13664f7
                    • Instruction Fuzzy Hash: DB21577080CB4C8FEB18CF98984AAF97FE4EB52320F04815ED489DB622DB745846CB50
                    Function 00007FF848F0A505 Relevance: .1, Instructions: 80COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000008.00000002.2353144522.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4446f222e8ffae8b9967a00677c0ee5041a3b036790ecf8be36fdff4536f79b6
                    • Instruction ID: 12bb9a56ca8fe5a6b004a217604ea4aab322f647648832010a4ad64600217d06
                    • Opcode Fuzzy Hash: 4446f222e8ffae8b9967a00677c0ee5041a3b036790ecf8be36fdff4536f79b6
                    • Instruction Fuzzy Hash: 5021D47190CB888FDB159BA898497F97FF0EF52320F0881AFC489DB562D6386449CB55
                    Function 00007FF848F033B5 Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000008.00000002.2353144522.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9895435140380c782189f81496fffaa590a70fd196a779c416207eeb9efb34d6
                    • Instruction ID: 7751a646eaf869edea33559e4a2383cdbafb38eb3a9baaa8760fd3dac5d19060
                    • Opcode Fuzzy Hash: 9895435140380c782189f81496fffaa590a70fd196a779c416207eeb9efb34d6
                    • Instruction Fuzzy Hash: DE01677111CB0C4FD744EF0CE451AA5B7E0FB95364F50056EE58AC3695DB36E882CB45
                    Function 00007FF848FD43FA Relevance: .0, Instructions: 37COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000008.00000002.2354124089.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9688a513bba34d0d6796eeaa4fbf2971401703dda120b550bbdf1730f1ce1553
                    • Instruction ID: 1ac74bfea5c94f2c79739ea4f97bebdacf17d076805861e8386c2ef8f220b082
                    • Opcode Fuzzy Hash: 9688a513bba34d0d6796eeaa4fbf2971401703dda120b550bbdf1730f1ce1553
                    • Instruction Fuzzy Hash: 46F09A31A0C5458FDB94EB5CA4448A8B7E0FF16360F4500B6E19EC70A3DB29ACA08B64

                    Non-executed Functions

                    Function 00007FF848F08BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000008.00000002.2353144522.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: O_^4$O_^7$O_^F$O_^J
                    • API String ID: 0-875994666
                    • Opcode ID: fc36652a01fde3d68541ef6407f4994e1d7447276bdf42ee148701f13201db76
                    • Instruction ID: 8bd8163f0f9ae516a15f916a4231b8f7fb71d175f1a7c6e4fa1c9a0ae69dd810
                    • Opcode Fuzzy Hash: fc36652a01fde3d68541ef6407f4994e1d7447276bdf42ee148701f13201db76
                    • Instruction Fuzzy Hash: E521297762A025DED3417B7DB8045DA3750DFD427AB4502B2D19E8F243EA1C708686E4

                    Executed Functions

                    Function 00007FF848FE6605 Relevance: 6.7, Strings: 5, Instructions: 432COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2554891469.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: (B#I$(B#I$(B#I$(B#I$(B#I
                    • API String ID: 0-1620291718
                    • Opcode ID: 727b9f5f5edd46cfa34206621bea495087f578303416941d4bfe109b28e89613
                    • Instruction ID: 1ff8d8c41544c0d995036f3c9114644e47cf323f24db3735f0b8e6741921e973
                    • Opcode Fuzzy Hash: 727b9f5f5edd46cfa34206621bea495087f578303416941d4bfe109b28e89613
                    • Instruction Fuzzy Hash: 70D14231D1EA8E9FEB99AB2858145B5BBA0EF16390F1801FED44DCB1D3EB1CA805C355
                    Function 00007FF848FE4073 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2554891469.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: 8>#I
                    • API String ID: 0-2340899229
                    • Opcode ID: c3d2c6ce4abfda50adb61af8c7f9807786b5701e372785543038c9a0699f4fb5
                    • Instruction ID: 5e0d0b4196aa91d71771a72123ae8170bbeec52ae5485a91720aee9b55c57bb9
                    • Opcode Fuzzy Hash: c3d2c6ce4abfda50adb61af8c7f9807786b5701e372785543038c9a0699f4fb5
                    • Instruction Fuzzy Hash: 1451D332E0DE4A4FEB9AEB2C941167577E1EFA5260F5801BEC10DC72D2DF1CE8058259
                    Function 00007FF848DFED40 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2552147812.00007FF848DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DFD000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: g=
                    • API String ID: 0-3635911044
                    • Opcode ID: c06b87e34b120f1e9b522fbb343291400afbbe52d71ff1173de4e4be3b371e00
                    • Instruction ID: 6effcb204afba03b9cbb75948436f365ea0572fe464720e684755d8ac2994eb1
                    • Opcode Fuzzy Hash: c06b87e34b120f1e9b522fbb343291400afbbe52d71ff1173de4e4be3b371e00
                    • Instruction Fuzzy Hash: B441083180EBC44FD7569B28AC41A523FF0EF57260F1906DFD088CB5A3D729A849C7A2
                    Function 00007FF848FE40BF Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2554891469.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: 8>#I
                    • API String ID: 0-2340899229
                    • Opcode ID: 73dc0885ef90f172f7c2a060ef6a87396c305d280300f67abb6b6471a346cd1b
                    • Instruction ID: 2ba60ccbf62ebaaba0b3e998fcf6899c5dff4ce0090984e13f8a88994cf280a0
                    • Opcode Fuzzy Hash: 73dc0885ef90f172f7c2a060ef6a87396c305d280300f67abb6b6471a346cd1b
                    • Instruction Fuzzy Hash: 7C218E32E0DE864FEBAAEB28945117466D1FF642A0F5901BEC11DC72E2CF1CDC458249
                    Function 00007FF848F19780 Relevance: .1, Instructions: 126COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2553598266.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 51547bbbefc2c2c93ee451e8121b276ebd85ebfdd7bdc0433faab74ecb421af9
                    • Instruction ID: dfbf89d8c938133ec70b85acc171737a651b9a64e75adc0cfdb690abe31e0f29
                    • Opcode Fuzzy Hash: 51547bbbefc2c2c93ee451e8121b276ebd85ebfdd7bdc0433faab74ecb421af9
                    • Instruction Fuzzy Hash: D5310A3191CB488FDB18DF5C9C066A97BF0FB99310F00426FE449D3652CA74A855CBC2
                    Function 00007FF848F1A49C Relevance: .1, Instructions: 99COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2553598266.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b589d63584b5cc45dcc1522d1da09751eace547c405f19378827fabfa3af59f5
                    • Instruction ID: 6de1f8b3399c89cad721120d08a596951d57c9c5ea3674171532f6b6d3c06d8e
                    • Opcode Fuzzy Hash: b589d63584b5cc45dcc1522d1da09751eace547c405f19378827fabfa3af59f5
                    • Instruction Fuzzy Hash: B721F83190CB8C4FDB59DB6C984A7E97FF0EB96321F04426BD049C3192D674A85ACB91
                    Function 00007FF848F133B5 Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2553598266.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                    • Instruction ID: 191617ceee889ec1b776a361fbb2d1250ce1ead809f4672e64413ffe75dfec08
                    • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                    • Instruction Fuzzy Hash: 7201677111CB0C4FDB44EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45
                    Function 00007FF848F1A0FB Relevance: .0, Instructions: 41COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2553598266.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1ff2a5ca1faf006e48303afc99d0fa40744382cedbe62319ef10a2965dd7d0fe
                    • Instruction ID: 43f86cbbad0bcefa997776f95890cf8d569e72a605e799b11beec97b8a6b1842
                    • Opcode Fuzzy Hash: 1ff2a5ca1faf006e48303afc99d0fa40744382cedbe62319ef10a2965dd7d0fe
                    • Instruction Fuzzy Hash: 05F0F63A90CA884FDB86EF3C98690D4BF90FF65341B0401ABE508C71A2DB218C48CBC1
                    Function 00007FF848FE43FA Relevance: .0, Instructions: 37COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2554891469.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 606275dcee40496c2d260f30af02a75a4bd1469d99b855ee947373780484299f
                    • Instruction ID: f671408808c2fc068918eb96864cbb4abd6044fa0940745d59756ace39bdf123
                    • Opcode Fuzzy Hash: 606275dcee40496c2d260f30af02a75a4bd1469d99b855ee947373780484299f
                    • Instruction Fuzzy Hash: 2AF09A31A0C9458FDB54EB1CA4458B8B7E0FF15361F5500BAE05DC74A3DB2AAC618765

                    Non-executed Functions

                    Function 00007FF848F18BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2553598266.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: N_^8$N_^<$N_^?$N_^J$N_^K$N_^N$N_^Q$N_^Y
                    • API String ID: 0-2388461625
                    • Opcode ID: 0a17b3c452628a29204579af913d24a375679f0f8c5c8a70c7dd2c4491a07189
                    • Instruction ID: 198e3087ebbfc7504edfa98630f772db252869f6143ea1114750b6929877bbe0
                    • Opcode Fuzzy Hash: 0a17b3c452628a29204579af913d24a375679f0f8c5c8a70c7dd2c4491a07189
                    • Instruction Fuzzy Hash: D0212973A1A5119AC30137BCBC515D97B91EF543B874502F3E218CF113DE1C648B8796