Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ServerManager.exe

Overview

General Information

Sample name:ServerManager.exe
Analysis ID:1465856
MD5:c5b7998c5908e5a4742674dbfda9ffb8
SHA1:3f1d2d30d7d602dcc193e0eb52aa5893a6e2d69b
SHA256:9f727bce5e9e5fa25b4e97322a77fb7d73c16f9c220955ec16661892d72bc6ea
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ServerManager.exe (PID: 1280 cmdline: "C:\Users\user\Desktop\ServerManager.exe" MD5: C5B7998C5908E5A4742674DBFDA9FFB8)
    • powershell.exe (PID: 7068 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ServerManager.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3632 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ServerManager.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1016 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Server Manager.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3488 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Server Manager.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Server Manager.exe (PID: 5268 cmdline: "C:\ProgramData\Server Manager.exe" MD5: C5B7998C5908E5A4742674DBFDA9FFB8)
  • Server Manager.exe (PID: 5984 cmdline: "C:\ProgramData\Server Manager.exe" MD5: C5B7998C5908E5A4742674DBFDA9FFB8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["89.213.177.81"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
ServerManager.exeJoeSecurity_XWormYara detected XWormJoe Security
    ServerManager.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      ServerManager.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xfca4:$s6: VirtualBox
      • 0xfc02:$s8: Win32_ComputerSystem
      • 0x12408:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x124a5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x125ba:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x116ec:$cnc4: POST / HTTP/1.1

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\ProgramData\Server Manager.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\ProgramData\Server Manager.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\ProgramData\Server Manager.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xfca4:$s6: VirtualBox
          • 0xfc02:$s8: Win32_ComputerSystem
          • 0x12408:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x124a5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x125ba:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x116ec:$cnc4: POST / HTTP/1.1

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000000.2081731281.0000000000E22000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000000.2081731281.0000000000E22000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xfaa4:$s6: VirtualBox
            • 0xfa02:$s8: Win32_ComputerSystem
            • 0x12208:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x122a5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x123ba:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x114ec:$cnc4: POST / HTTP/1.1
            00000000.00000002.3362478674.0000000013342000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000000.00000002.3362478674.0000000013342000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0xf71c:$s6: VirtualBox
              • 0xf67a:$s8: Win32_ComputerSystem
              • 0x11e80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x11f1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x12032:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x11164:$cnc4: POST / HTTP/1.1
              00000000.00000002.3329175843.0000000003331000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                Click to see the 1 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.ServerManager.exe.e20000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.0.ServerManager.exe.e20000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                  • 0xfca4:$s6: VirtualBox
                  • 0xfc02:$s8: Win32_ComputerSystem
                  • 0x12408:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                  • 0x124a5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                  • 0x125ba:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                  • 0x116ec:$cnc4: POST / HTTP/1.1

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ServerManager.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ServerManager.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ServerManager.exe", ParentImage: C:\Users\user\Desktop\ServerManager.exe, ParentProcessId: 1280, ParentProcessName: ServerManager.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ServerManager.exe', ProcessId: 7068, ProcessName: powershell.exe
                  Sigma detected: Change PowerShell Policies to an Insecure Level
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ServerManager.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ServerManager.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ServerManager.exe", ParentImage: C:\Users\user\Desktop\ServerManager.exe, ParentProcessId: 1280, ParentProcessName: ServerManager.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ServerManager.exe', ProcessId: 7068, ProcessName: powershell.exe
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\Server Manager.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\ServerManager.exe, ProcessId: 1280, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server Manager
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ServerManager.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ServerManager.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ServerManager.exe", ParentImage: C:\Users\user\Desktop\ServerManager.exe, ParentProcessId: 1280, ParentProcessName: ServerManager.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ServerManager.exe', ProcessId: 7068, ProcessName: powershell.exe
                  Sigma detected: Startup Folder File Write
                  Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\ServerManager.exe, ProcessId: 1280, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Server Manager.lnk
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ServerManager.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ServerManager.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ServerManager.exe", ParentImage: C:\Users\user\Desktop\ServerManager.exe, ParentProcessId: 1280, ParentProcessName: ServerManager.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ServerManager.exe', ProcessId: 7068, ProcessName: powershell.exe

                  Snort Signatures

                  Timestamp:07/02/24-07:38:23.603448
                  SID:2855924
                  Source Port:56136
                  Destination Port:7000
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:07/02/24-07:38:51.103158
                  SID:2852874
                  Source Port:7000
                  Destination Port:56136
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:07/02/24-07:39:08.029867
                  SID:2852923
                  Source Port:56136
                  Destination Port:7000
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:07/02/24-07:39:08.027108
                  SID:2852870
                  Source Port:7000
                  Destination Port:56136
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: ServerManager.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\ProgramData\Server Manager.exeAvira: detection malicious, Label: TR/Spy.Gen
                  Found malware configuration
                  Source: ServerManager.exeMalware Configuration Extractor: Xworm {"C2 url": ["89.213.177.81"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\ProgramData\Server Manager.exeReversingLabs: Detection: 73%
                  Source: C:\ProgramData\Server Manager.exeVirustotal: Detection: 64%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: ServerManager.exeVirustotal: Detection: 64%Perma Link
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\ProgramData\Server Manager.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: ServerManager.exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: ServerManager.exeString decryptor: 89.213.177.81
                  Source: ServerManager.exeString decryptor: 7000
                  Source: ServerManager.exeString decryptor: <123456789>
                  Source: ServerManager.exeString decryptor: <Xwormmm>
                  Source: ServerManager.exeString decryptor: Service Host
                  Source: ServerManager.exeString decryptor: USB.exe
                  Source: ServerManager.exeString decryptor: %ProgramData%
                  Source: ServerManager.exeString decryptor: Server Manager.exe
                  Source: ServerManager.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: ServerManager.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 89.213.177.81:7000 -> 192.168.2.6:56136
                  Source: TrafficSnort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.6:56136 -> 89.213.177.81:7000
                  Source: TrafficSnort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 89.213.177.81:7000 -> 192.168.2.6:56136
                  Source: TrafficSnort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.6:56136 -> 89.213.177.81:7000
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 89.213.177.81
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: ServerManager.exe, type: SAMPLE
                  Source: Yara matchFile source: C:\ProgramData\Server Manager.exe, type: DROPPED
                  Source: global trafficTCP traffic: 192.168.2.6:56136 -> 89.213.177.81:7000
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                  Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                  Source: Joe Sandbox ViewASN Name: EDGEtaGCIComGB EDGEtaGCIComGB
                  Source: unknownDNS query: name: ip-api.com
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.81
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: ip-api.com
                  Source: powershell.exe, 00000005.00000002.2264839468.000001D527C46000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2405649577.0000021AE1501000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                  Source: powershell.exe, 00000005.00000002.2264839468.000001D527C46000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2405649577.0000021AE1501000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                  Source: powershell.exe, 00000002.00000002.2173832190.000002D9DDE1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                  Source: ServerManager.exe, Server Manager.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                  Source: powershell.exe, 00000002.00000002.2166138809.000002D9D56A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2251088379.000001D51F422000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2390912790.0000021AD91E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2573055625.000001BD115D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 0000000C.00000002.2441830023.000001BD017FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2441830023.000001BD017B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000002.00000002.2149714407.000002D9C5859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2199861724.000001D50F5D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2302461794.0000021AC939A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2441830023.000001BD0185C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                  Source: ServerManager.exe, 00000000.00000002.3329175843.0000000003331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2149714407.000002D9C5631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2199861724.000001D50F3B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2302461794.0000021AC9171000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2441830023.000001BD01561000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 00000002.00000002.2149714407.000002D9C5859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2199861724.000001D50F5D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2302461794.0000021AC939A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2441830023.000001BD0185C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                  Source: powershell.exe, 0000000C.00000002.2441830023.000001BD017B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 00000005.00000002.2264147959.000001D527B89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
                  Source: powershell.exe, 00000002.00000002.2149714407.000002D9C5631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2199861724.000001D50F3B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2302461794.0000021AC9171000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2441830023.000001BD01561000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: powershell.exe, 0000000C.00000002.2573055625.000001BD115D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 0000000C.00000002.2573055625.000001BD115D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 0000000C.00000002.2573055625.000001BD115D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: powershell.exe, 0000000C.00000002.2441830023.000001BD017B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 00000008.00000002.2405649577.0000021AE14C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.5mConsumer
                  Source: powershell.exe, 00000002.00000002.2166138809.000002D9D56A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2251088379.000001D51F422000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2390912790.0000021AD91E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2573055625.000001BD115D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                  Operating System Destruction

                  barindex
                  Protects its processes via BreakOnTermination flag
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: 01 00 00 00 Jump to behavior

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: ServerManager.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.0.ServerManager.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000000.2081731281.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000002.3362478674.0000000013342000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\ProgramData\Server Manager.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\Desktop\ServerManager.exeCode function: 0_2_00007FFD34686C920_2_00007FFD34686C92
                  Source: C:\Users\user\Desktop\ServerManager.exeCode function: 0_2_00007FFD346821B10_2_00007FFD346821B1
                  Source: C:\Users\user\Desktop\ServerManager.exeCode function: 0_2_00007FFD346816DE0_2_00007FFD346816DE
                  Source: C:\Users\user\Desktop\ServerManager.exeCode function: 0_2_00007FFD34685EE60_2_00007FFD34685EE6
                  Source: C:\Users\user\Desktop\ServerManager.exeCode function: 0_2_00007FFD346810A50_2_00007FFD346810A5
                  Source: C:\Users\user\Desktop\ServerManager.exeCode function: 0_2_00007FFD346817190_2_00007FFD34681719
                  Source: C:\Users\user\Desktop\ServerManager.exeCode function: 0_2_00007FFD346813D30_2_00007FFD346813D3
                  Source: C:\Users\user\Desktop\ServerManager.exeCode function: 0_2_00007FFD3468A7E00_2_00007FFD3468A7E0
                  Source: C:\Users\user\Desktop\ServerManager.exeCode function: 0_2_00007FFD346813700_2_00007FFD34681370
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3465207D2_2_00007FFD3465207D
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34650A502_2_00007FFD34650A50
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34655EFA2_2_00007FFD34655EFA
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD346556EA2_2_00007FFD346556EA
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34655BFA2_2_00007FFD34655BFA
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34656FFA2_2_00007FFD34656FFA
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD347239D12_2_00007FFD347239D1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD347230E92_2_00007FFD347230E9
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD3469714A5_2_00007FFD3469714A
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD346972535_2_00007FFD34697253
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD3469B9FA5_2_00007FFD3469B9FA
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD346956EA5_2_00007FFD346956EA
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD346920355_2_00007FFD34692035
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34693FFA5_2_00007FFD34693FFA
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34695BFA5_2_00007FFD34695BFA
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34696FFA5_2_00007FFD34696FFA
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD3469B7FC5_2_00007FFD3469B7FC
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD347639D15_2_00007FFD347639D1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34762E115_2_00007FFD34762E11
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD3467706D8_2_00007FFD3467706D
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD3467714A8_2_00007FFD3467714A
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD346772538_2_00007FFD34677253
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD34678E4C8_2_00007FFD34678E4C
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD346721FA8_2_00007FFD346721FA
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD346716BF8_2_00007FFD346716BF
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD34678EA08_2_00007FFD34678EA0
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD346716FA8_2_00007FFD346716FA
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD3467BBFA8_2_00007FFD3467BBFA
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD34675BFA8_2_00007FFD34675BFA
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD347439D18_2_00007FFD347439D1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD3468206D12_2_00007FFD3468206D
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD34685EFA12_2_00007FFD34685EFA
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD34685BFA12_2_00007FFD34685BFA
                  Source: C:\ProgramData\Server Manager.exeCode function: 16_2_00007FFD3467171916_2_00007FFD34671719
                  Source: C:\ProgramData\Server Manager.exeCode function: 16_2_00007FFD3467103816_2_00007FFD34671038
                  Source: C:\ProgramData\Server Manager.exeCode function: 17_2_00007FFD346816DE17_2_00007FFD346816DE
                  Source: C:\ProgramData\Server Manager.exeCode function: 17_2_00007FFD3468103817_2_00007FFD34681038
                  Source: C:\ProgramData\Server Manager.exeCode function: 17_2_00007FFD3468171917_2_00007FFD34681719
                  Source: ServerManager.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: ServerManager.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.0.ServerManager.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000000.2081731281.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000002.3362478674.0000000013342000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: C:\ProgramData\Server Manager.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: ServerManager.exe, gKMWDTMWUubM8SQzLZimtFgSgUsV0TnCCUu0IP8L9falxDA4MIUqy9Zm4EruvlYGBv86fzMr22NHAtk4xST.csCryptographic APIs: 'TransformFinalBlock'
                  Source: ServerManager.exe, WEkPluHJzmSxu7WhrqQ1sGmpx.csCryptographic APIs: 'TransformFinalBlock'
                  Source: ServerManager.exe, WEkPluHJzmSxu7WhrqQ1sGmpx.csCryptographic APIs: 'TransformFinalBlock'
                  Source: Server Manager.exe.0.dr, gKMWDTMWUubM8SQzLZimtFgSgUsV0TnCCUu0IP8L9falxDA4MIUqy9Zm4EruvlYGBv86fzMr22NHAtk4xST.csCryptographic APIs: 'TransformFinalBlock'
                  Source: Server Manager.exe.0.dr, WEkPluHJzmSxu7WhrqQ1sGmpx.csCryptographic APIs: 'TransformFinalBlock'
                  Source: Server Manager.exe.0.dr, WEkPluHJzmSxu7WhrqQ1sGmpx.csCryptographic APIs: 'TransformFinalBlock'
                  Source: ServerManager.exe, 8gxPBxLoZ0upiH4kY4G3UFeNj.csBase64 encoded string: 'PGz0Aa0G947SeG9fMngQmY1I6vyoFKdU4He2u0hDK6sCrnJjuGBO5AhVOitJ', 'X7qKSJSpIZbZ7aokd67wLw7ZGhU2G8uNKWUBrjjZIRGsHuhBlmQFK0HlgOK0'
                  Source: ServerManager.exe, WEkPluHJzmSxu7WhrqQ1sGmpx.csBase64 encoded string: 'nshtPuCzXbqBwfEZnVdYeBX299e5vfX59adTCUlFN9hgoSy7i8ThFutSXolk'
                  Source: Server Manager.exe.0.dr, 8gxPBxLoZ0upiH4kY4G3UFeNj.csBase64 encoded string: 'PGz0Aa0G947SeG9fMngQmY1I6vyoFKdU4He2u0hDK6sCrnJjuGBO5AhVOitJ', 'X7qKSJSpIZbZ7aokd67wLw7ZGhU2G8uNKWUBrjjZIRGsHuhBlmQFK0HlgOK0'
                  Source: Server Manager.exe.0.dr, WEkPluHJzmSxu7WhrqQ1sGmpx.csBase64 encoded string: 'nshtPuCzXbqBwfEZnVdYeBX299e5vfX59adTCUlFN9hgoSy7i8ThFutSXolk'
                  Source: Server Manager.exe.0.dr, 5D5HiKNzbR9pwxEc23nNJsvFsVM2OT80R8euwIify5fYP4zQ9LzJulQXwAa4NZQ9l.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: Server Manager.exe.0.dr, 5D5HiKNzbR9pwxEc23nNJsvFsVM2OT80R8euwIify5fYP4zQ9LzJulQXwAa4NZQ9l.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: ServerManager.exe, 5D5HiKNzbR9pwxEc23nNJsvFsVM2OT80R8euwIify5fYP4zQ9LzJulQXwAa4NZQ9l.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: ServerManager.exe, 5D5HiKNzbR9pwxEc23nNJsvFsVM2OT80R8euwIify5fYP4zQ9LzJulQXwAa4NZQ9l.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@15/21@1/2
                  Source: C:\Users\user\Desktop\ServerManager.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Server Manager.lnkJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6972:120:WilError_03
                  Source: C:\ProgramData\Server Manager.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1464:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1088:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1212:120:WilError_03
                  Source: C:\Users\user\Desktop\ServerManager.exeMutant created: \Sessions\1\BaseNamedObjects\tMsgut2eLqwAAER1
                  Source: C:\Users\user\Desktop\ServerManager.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                  Source: ServerManager.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: ServerManager.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\ServerManager.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: ServerManager.exeVirustotal: Detection: 64%
                  Source: C:\Users\user\Desktop\ServerManager.exeFile read: C:\Users\user\Desktop\ServerManager.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\ServerManager.exe "C:\Users\user\Desktop\ServerManager.exe"
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ServerManager.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ServerManager.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Server Manager.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Server Manager.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\ProgramData\Server Manager.exe "C:\ProgramData\Server Manager.exe"
                  Source: unknownProcess created: C:\ProgramData\Server Manager.exe "C:\ProgramData\Server Manager.exe"
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ServerManager.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ServerManager.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Server Manager.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Server Manager.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: avicap32.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: msvfw32.dllJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                  Source: C:\ProgramData\Server Manager.exeSection loaded: mscoree.dll
                  Source: C:\ProgramData\Server Manager.exeSection loaded: apphelp.dll
                  Source: C:\ProgramData\Server Manager.exeSection loaded: kernel.appcore.dll
                  Source: C:\ProgramData\Server Manager.exeSection loaded: version.dll
                  Source: C:\ProgramData\Server Manager.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\ProgramData\Server Manager.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\ProgramData\Server Manager.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\ProgramData\Server Manager.exeSection loaded: uxtheme.dll
                  Source: C:\ProgramData\Server Manager.exeSection loaded: sspicli.dll
                  Source: C:\ProgramData\Server Manager.exeSection loaded: cryptsp.dll
                  Source: C:\ProgramData\Server Manager.exeSection loaded: rsaenh.dll
                  Source: C:\ProgramData\Server Manager.exeSection loaded: cryptbase.dll
                  Source: C:\ProgramData\Server Manager.exeSection loaded: mscoree.dll
                  Source: C:\ProgramData\Server Manager.exeSection loaded: kernel.appcore.dll
                  Source: C:\ProgramData\Server Manager.exeSection loaded: version.dll
                  Source: C:\ProgramData\Server Manager.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\ProgramData\Server Manager.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\ProgramData\Server Manager.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\ProgramData\Server Manager.exeSection loaded: uxtheme.dll
                  Source: C:\ProgramData\Server Manager.exeSection loaded: sspicli.dll
                  Source: C:\ProgramData\Server Manager.exeSection loaded: cryptsp.dll
                  Source: C:\ProgramData\Server Manager.exeSection loaded: rsaenh.dll
                  Source: C:\ProgramData\Server Manager.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\Desktop\ServerManager.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: Server Manager.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\ProgramData\Server Manager.exe
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: ServerManager.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: ServerManager.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: ServerManager.exe, vSWZ6fMkWTWQXdFdczNgejofSE0BF0rbzxYj9BY01bhlVNZAeRUf5ueU3Pgaba5MB.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{n1MWDYfDM479aWrfziMd819oH6SvnQ9PC.sC89JVvnkrWAOlSnjCF46cJnue6mnaS5X,n1MWDYfDM479aWrfziMd819oH6SvnQ9PC.SjmnY7lupaCb3NzXwauijctrW5LMX0KIr,n1MWDYfDM479aWrfziMd819oH6SvnQ9PC.cGVuJ2qrlFPMsOhxoGpFjudayhTeIYHpb,n1MWDYfDM479aWrfziMd819oH6SvnQ9PC.KmEmpumkaEGt4nvQZ3AMrzyN3rFKGiFcP,WEkPluHJzmSxu7WhrqQ1sGmpx.LKLGOq8nD10C2D6LG3umYQVqh()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: ServerManager.exe, vSWZ6fMkWTWQXdFdczNgejofSE0BF0rbzxYj9BY01bhlVNZAeRUf5ueU3Pgaba5MB.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UAADExHhqd1u6Zjk2SCM5k8uDxx28hSO4GBd6x6jLylPpC4yrddBUw0NISfCeePLVIiyPAUYfhhoh2aGcfTTSiIzDzl24Ognvw[2],WEkPluHJzmSxu7WhrqQ1sGmpx.gdArVE35JZu3TsSRIQ2SBFa51(Convert.FromBase64String(UAADExHhqd1u6Zjk2SCM5k8uDxx28hSO4GBd6x6jLylPpC4yrddBUw0NISfCeePLVIiyPAUYfhhoh2aGcfTTSiIzDzl24Ognvw[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: ServerManager.exe, vSWZ6fMkWTWQXdFdczNgejofSE0BF0rbzxYj9BY01bhlVNZAeRUf5ueU3Pgaba5MB.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { UAADExHhqd1u6Zjk2SCM5k8uDxx28hSO4GBd6x6jLylPpC4yrddBUw0NISfCeePLVIiyPAUYfhhoh2aGcfTTSiIzDzl24Ognvw[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: Server Manager.exe.0.dr, vSWZ6fMkWTWQXdFdczNgejofSE0BF0rbzxYj9BY01bhlVNZAeRUf5ueU3Pgaba5MB.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{n1MWDYfDM479aWrfziMd819oH6SvnQ9PC.sC89JVvnkrWAOlSnjCF46cJnue6mnaS5X,n1MWDYfDM479aWrfziMd819oH6SvnQ9PC.SjmnY7lupaCb3NzXwauijctrW5LMX0KIr,n1MWDYfDM479aWrfziMd819oH6SvnQ9PC.cGVuJ2qrlFPMsOhxoGpFjudayhTeIYHpb,n1MWDYfDM479aWrfziMd819oH6SvnQ9PC.KmEmpumkaEGt4nvQZ3AMrzyN3rFKGiFcP,WEkPluHJzmSxu7WhrqQ1sGmpx.LKLGOq8nD10C2D6LG3umYQVqh()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: Server Manager.exe.0.dr, vSWZ6fMkWTWQXdFdczNgejofSE0BF0rbzxYj9BY01bhlVNZAeRUf5ueU3Pgaba5MB.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UAADExHhqd1u6Zjk2SCM5k8uDxx28hSO4GBd6x6jLylPpC4yrddBUw0NISfCeePLVIiyPAUYfhhoh2aGcfTTSiIzDzl24Ognvw[2],WEkPluHJzmSxu7WhrqQ1sGmpx.gdArVE35JZu3TsSRIQ2SBFa51(Convert.FromBase64String(UAADExHhqd1u6Zjk2SCM5k8uDxx28hSO4GBd6x6jLylPpC4yrddBUw0NISfCeePLVIiyPAUYfhhoh2aGcfTTSiIzDzl24Ognvw[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: Server Manager.exe.0.dr, vSWZ6fMkWTWQXdFdczNgejofSE0BF0rbzxYj9BY01bhlVNZAeRUf5ueU3Pgaba5MB.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { UAADExHhqd1u6Zjk2SCM5k8uDxx28hSO4GBd6x6jLylPpC4yrddBUw0NISfCeePLVIiyPAUYfhhoh2aGcfTTSiIzDzl24Ognvw[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                  .NET source code contains potential unpacker
                  Source: ServerManager.exe, vSWZ6fMkWTWQXdFdczNgejofSE0BF0rbzxYj9BY01bhlVNZAeRUf5ueU3Pgaba5MB.cs.Net Code: sGZTm8ss2UINPtVpM0Qo9vB3c6zESvcMlipX17ZJKvpj9pYuVoHjXTkPOTaDeBXhU System.AppDomain.Load(byte[])
                  Source: ServerManager.exe, vSWZ6fMkWTWQXdFdczNgejofSE0BF0rbzxYj9BY01bhlVNZAeRUf5ueU3Pgaba5MB.cs.Net Code: omWSrS32KO2vhnxvUJCjoNT8rehD9ss5ReKtKzQwO6wAAz4AjC0er5SlwsyMHrAohaTEcjeRmyg9KtFRCgRkriiq3LBJARwwWH System.AppDomain.Load(byte[])
                  Source: ServerManager.exe, vSWZ6fMkWTWQXdFdczNgejofSE0BF0rbzxYj9BY01bhlVNZAeRUf5ueU3Pgaba5MB.cs.Net Code: omWSrS32KO2vhnxvUJCjoNT8rehD9ss5ReKtKzQwO6wAAz4AjC0er5SlwsyMHrAohaTEcjeRmyg9KtFRCgRkriiq3LBJARwwWH
                  Source: Server Manager.exe.0.dr, vSWZ6fMkWTWQXdFdczNgejofSE0BF0rbzxYj9BY01bhlVNZAeRUf5ueU3Pgaba5MB.cs.Net Code: sGZTm8ss2UINPtVpM0Qo9vB3c6zESvcMlipX17ZJKvpj9pYuVoHjXTkPOTaDeBXhU System.AppDomain.Load(byte[])
                  Source: Server Manager.exe.0.dr, vSWZ6fMkWTWQXdFdczNgejofSE0BF0rbzxYj9BY01bhlVNZAeRUf5ueU3Pgaba5MB.cs.Net Code: omWSrS32KO2vhnxvUJCjoNT8rehD9ss5ReKtKzQwO6wAAz4AjC0er5SlwsyMHrAohaTEcjeRmyg9KtFRCgRkriiq3LBJARwwWH System.AppDomain.Load(byte[])
                  Source: Server Manager.exe.0.dr, vSWZ6fMkWTWQXdFdczNgejofSE0BF0rbzxYj9BY01bhlVNZAeRUf5ueU3Pgaba5MB.cs.Net Code: omWSrS32KO2vhnxvUJCjoNT8rehD9ss5ReKtKzQwO6wAAz4AjC0er5SlwsyMHrAohaTEcjeRmyg9KtFRCgRkriiq3LBJARwwWH
                  Source: C:\Users\user\Desktop\ServerManager.exeCode function: 0_2_00007FFD3468CF7C push cs; ret 0_2_00007FFD3468CF7F
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3453D2A5 pushad ; iretd 2_2_00007FFD3453D2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD346528FA push ebx; retf 2_2_00007FFD3465290A
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34652785 push ebx; retf 2_2_00007FFD3465290A
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34722316 push 8B485F95h; iretd 2_2_00007FFD3472231B
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD3457D2A5 pushad ; iretd 5_2_00007FFD3457D2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34762316 push 8B485F91h; iretd 5_2_00007FFD3476231B
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34769521 push es; retf 5_2_00007FFD34769542
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD3455D2A5 pushad ; iretd 8_2_00007FFD3455D2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD34742316 push 8B485F93h; iretd 8_2_00007FFD3474231B
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD3456D2A5 pushad ; iretd 12_2_00007FFD3456D2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD34752316 push 8B485F92h; iretd 12_2_00007FFD3475231B
                  Source: ServerManager.exe, 8gxPBxLoZ0upiH4kY4G3UFeNj.csHigh entropy of concatenated method names: 'xwAG7wVWsgyuMWVFfmhQlpN6K', 'GUVI1FZUu5IJVD3IwqzzaqABT', 'r8hjrb97CAUISNwkn9v1i4Oro', 'vYAEK3EH59ZAFswlzt7tPva5FTaMpAvq0e8CwXeOFJgAbKZgfxSwcHdTlXVI', 'C4kbaHOp385wS738ew26I1BZRbHBasMfmMXmnG2Gntqjo9fUCG6cQnbGcYPR', 'IYXtWDeckuPdNjmb95dCYtRhfMnObtoMrcbq0RncrLVZ0f1QsgviQPHJYwu3', 'yiDoTJ8an6tspWCHAcMIuxVLHyHRbPH054Xb2xqwJBCjL8vr4pZMXbaatK1V', '_25MITyhMxOExH2Qz6JSyS3u6x3JTmocCFcuo6348gsQgmZTtca3HtuDG1BFd', 'nztYpTbspTQ7EcQs6cGZODaJuAis3lxUokCJKuBoarT0M2hFLAWKpj8g9Tg3', 'fyIWSYwLNYEpscATO1plLdECqWVYOEFlz9HJILUndeQbBK4gB1yPI3HYqm0m'
                  Source: ServerManager.exe, cAY1JHGrS6II4CSxqSolra4PBuAKeflv0.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_0mJ2vrUbPx6R1rlWfkmINRVm5', 'FZLAkv17bSijUTcATHoZ7r5ef', 'eCqHqhYcbmY9IEeSOn0Lz4cRb', 'vOh9vKLxTqbLtMCzHPBANx45t'
                  Source: ServerManager.exe, vSWZ6fMkWTWQXdFdczNgejofSE0BF0rbzxYj9BY01bhlVNZAeRUf5ueU3Pgaba5MB.csHigh entropy of concatenated method names: 'huqXPBfLzpusoDzptx34oqD2bA0KwhCohpUNfZk7HVz0LAMG60UURRbmPnCeMuFGr', 'sGZTm8ss2UINPtVpM0Qo9vB3c6zESvcMlipX17ZJKvpj9pYuVoHjXTkPOTaDeBXhU', 'FE9vxI1PuXbpOwP0JKkxlAC811zowJEvCFlv0zbw3Ye9LkZ8ykmJBFn4T39CAnTCd', '_0MXWpdaDxF5hqmuXIj03KO2S53WjOze8ESQIOTeGlGa43S8YQ7Bh0uDKJoNdr7CUW', 'x6eTMMz8P4OL82Jn9FtbcHbeCErNrJekdSj65Rwax6GxiCW33A8KPpda5zX6EoEr4', 'E7uyHatDr1rKIYcvS6rRazxBCiDtXqJEvyEsxUHZbZGnuWOHpbxXJDJ9rNZE9lIPRcEGRiH5vq5IhOhZlYx9Tj3kk1enHIWQoh', 'R662gBE1qEe0XVBHPmzxIpJzR1YBMl2m1tfcctdZTJKZwPQPcgaJdKarKySknsuxujkKswIv08cmdksCFp9RMY2M8Q1dqK5vzl', 'wJNjIJiWcRaJRZCsww6NlarRpKdLA4jhGq3LknFJ8E2kHOmsXCd0kOo34n4r98aCgYrwfjMN8EJukXBRt2rL43unb4otX7zL68', 'GghHpWJqCHKDdiJZT1AGcBNvdBK27GvU09pI06hyzA03pV7zCnoxoXcbRSCqXCipPjv9CvplbKrcBtpUv35bbaQEnNWk0vnsmv', 'W7hBfPblHFapmXpnhYv3NLHsd1VRYreWO9Zf2kJb85XPKBiQROqjqNvwa5trn8EZktbsqqkr6FU3yP3Q4ErSgBFFpAa4rzLOEn'
                  Source: ServerManager.exe, TBBsrpMOsnlGPWhUwLR0UqVtIEeIPqG8VOzJFdcD8V0QgjU85yIaylUOacsZU5dIziI729aK4gyH1mVoB0g.csHigh entropy of concatenated method names: '_0cKGbHl458dEXhwvCi8sYTtLb02DuEtBCb3dtdPs4tVX2Efgl2jVW0tOsLjyFvfXmEt7MynNDH1UepnuE60', 'fG0vUOXOLxvJMrIjYQnDzzi1JOvj1paVzb4I9swwpROT4svm1IWfb4gKBgCPDKdRTPquiZM5gZhsZXXHSrl', 'M5Y1vWtWDdSyjFEE8q9PrKbMtVy1LG4JN0MaKKT8CAPRbbaRMTTkmUIF34qRQBK6ksFJ8e0DobI8vjzUBvG', 'gSoQ2bNIMPp4mTUUxai5A4PdBrnO40bFn8LD2lIx8qtyxgPQPtpkAofQqxzHVz3xtmlG1sslsUL3QioP3q7', 'ruHjadlpc6oXSPXEa16gNcwfuv3sT13FeYw17uVItJd', 'r2IH4A4LYsBRVCksKwZ518Gi8tRL6rfZklohBRtlOCl', 'FprurO3uwglcoJcAOmhxWbb3gXYjaP8LA5B7fyqLj9G', 'fNDraAH93jR7tAOzW9VFAScHLdvoSDuoKnCzwY9Xg7K', 'Qtcu6lbXd5mvAwE7AzftfvqOTxC7LD0Qp6MTzwstxiP', 'lQNYx0FR6U2NK8XhPS4USKdaDh4MVcGsQ6KTFsa6a9j'
                  Source: ServerManager.exe, YA10RSYRRniX8kQXEtZ2RhNM4Gck5eyyTae2EwZMFZ0pKPugKrRbYxrTUsRR7YWQVsp8ee86bf3yqlA0nqUe1LajeKT0MWUW9W.csHigh entropy of concatenated method names: 'P488koC6HpviZ49ksNTnJ8KgVG7K6tF3RteP3HPV296l2toTjJ94UCsmv3fhOlRzkdkv3cnl3I7IPh2h51oa2IzQ7BvHaaFq25', 'k3Xx678hk2uJOLlRAbjJqKP87wUr0xF2m5NfKl8zxB8Wafom9DLyDOunvnrrb617USqjNj0XlRJOZ9aNZPwpvDtZEgPRxZgZ5t', 'fXpiDD47BBS5jgxuGLn1LaOL8aAVVOJB7fGfx1mgnOyV6BSleuazJhKFJZhzOOmwiNtJpEIvc0OKBjDfe5kXOMEwpqiFS6ntka', 'GJILbNJnh6lT7bE97jcvkJMmxDowySTQgX7qA7IbMrroKzLteWtlLqNx5uL3FVf46W2kmmhECLWPtamI3Cf', 'x8iAeB2xpXDiBEs3odoVPSsYlfgofUOhWAfMtl15XvuicliXGfRRE8hVaya7kA5mvwrcYqw0fBNYxUcfemx', 'Az2CCCThLdKyAgJMwZGQyZSfaDmK8vi2WJgv29RHxhXD3bkStFo973IHMfoVg3O6gbG7KXcd5rVWfGQC25Q', 'fGnGcYUYzlJvmDSpK3PPZkYNrIOZIp4dUAYtSumJpW0jcKob6HlwbwUgoKr9VBqq2KivDahesftoCz0ozNu', 'luq0CLz8LPy31eG9ysPLFMYcKI3qiwU92VK58cEQdQAkf3B8hCOLpZAFufs9WNEyGcip6PUq8UTWOCNauWH', 'YNjBxxNVcsOjJkmY0xcC4bPJvkQqPoil2owdY5PBsfiQHs6heBIoITTAuhqRSMNT6oBc1EKFs1WMeFEpt0d', 'qYEJERNZwnAfX5SNRGoBcTWAC4K2Pj0IAi4QlqO6pUumJ2tXBSwKpIZbwbCwMZgY8uekiPplqLbHQ0OMhaF'
                  Source: ServerManager.exe, z2JWD48iZkNLFgNd58g0x4ojAiCfmPG30sHSmJas1indA42NdNlI4yYsjqj7ruIxB.csHigh entropy of concatenated method names: 'Yo0dGngvzDwqllduWigLXJzlM9RL0w9T7GXYa7Og2G9WFs3XsOcvdPJNSIo5gKZeG', 'KKdIgvSmIa6uHSO7r6s7plRx6tL1Vmormt0y3qFFMki05Q9N2vK0EambJrRcwHG4b', '_47Ovb8KH3liGPOyY3Az3gp4K8mH3g4AWAz10E6Ogb5xYU6WangvvQfpCsjLW3AYTf', 'rgyCYLdjGxIbcUZYWDuciIsIyZb5n3L90RyQBWoDDRLvGGhfbOha2YUbpHCs155rZ', 'LzVFmTESN1tgO7oOCFZE5ko4Ido1byrWCAdAS3XUtzYYOiFDwl0ECHRwmh0S3Oiqo', 'CCtAx7svTdinvMEae2FjM3FzwLHAh8TN0Z601JK6ijqlB4M78sjg82AyIykwUtbYj', '_2llpCGAyXNHINuV02SCIjxuQJjQW3GNB6vIOVVOKTYCqPqTvUUVaUDRgd8NESMyVV', 'eEOFPnbWqcVQ0BXY751u1haVPeXMtZZM7430wGYZPprQ67TLZYrsHmAjLEpsEugpX', 'Vzo2gtyHXECPqnLsxeCZRoVzC2utD83fkXmguUaOjsdRq9LrHaMtboHCaj5OYciCm', 'Nm4mcWadJOZTYExIriiwxfyuBZVuzz881cOdQGelWVffgm79DEhwDDj4WKmw8OvdR'
                  Source: ServerManager.exe, 5D5HiKNzbR9pwxEc23nNJsvFsVM2OT80R8euwIify5fYP4zQ9LzJulQXwAa4NZQ9l.csHigh entropy of concatenated method names: 'tB5WUAEgX7B6kZKxNPsqccXvIyZgRX9syegGXD7B3SCd0nsbu6EIYrdPR9Pw67n6p', 'cyZu1ViZD7Gj996vm7EW3BoC0sVhenIIPBMZZR6LJYv4GwYDDJD1pAfEEm9dSXgTz', '_0oHpi9OvPgLwU60rwTEbfAIAU0KFuXo3u6cb81820izputUMUXjW2arfy23QFSy5Z', 'Wl7mg8yUjcOgphvmMgXHEUAY7b2ybdxEGRswFE8fiDahJBvq8Bb2TdiazRaJiusR6', 'adivzlbzNQVqjU0n1uzbghfwzuN2ESxqRtKb734IdZpT7YBZMzK3p19cUUJKu2GZM', 'knkuOOUkDWrUioHrfJKYj7dLyrfx2YlQ0kcdnS4sbgxpgyUdN7O5IpvC6Wuv1MiEI', '_0T31D0BRdZPGKP2LabImBgmCAdKjjKpN34EWPdOZTWJKdn8KQ137B07MzH9fzYqzO', 'iGL31GrxOqqyn2Oubh69noUOXG7sLiC0j0i7B4CIhHWmVo2McN1QSvuXCJld7brY6', '_9YYou8bXjXiEKMosFgWwdesq21unfGITCvTYoZDeWQeKCY98YFe2gvJBFqYA6MzFN', 'nnY6kbrzTK8vy1nBUxezVRIKPh1kOUPiPjDDPDuPgKs7ZOibYrDQEHL4FhRUAyS3Z'
                  Source: ServerManager.exe, gKMWDTMWUubM8SQzLZimtFgSgUsV0TnCCUu0IP8L9falxDA4MIUqy9Zm4EruvlYGBv86fzMr22NHAtk4xST.csHigh entropy of concatenated method names: 'vHzizXHycaVwwrBhPa7VmNE13', '_4pSdIVmMBFBjKSYBk9DctTJnEt5rEhXAzz3U4yz6PuYrp7OwIC5lBVsGb7V01uHvZi0nAe0Ohs2', 'iXa09HLTf3dZsRI2zOMj7Ci5tMVJcklpsUWt4DvMb1JlYh66NGckBnRm9o9gHknH5X8BbRDcnH9', 'OJCzCLvpFBvYvjboiJADJAbm2pBgI1uyawGu8Sf3LsDo5tv4YtYgcsdaQ9oGWx9wfaaEImMBwVa', 'vqH7k9GAMaZn8oRtVRAnNTsusK7g0WReLZfXrnT1fFi3k2jVcYO4JhJusG4YlLPtWcq9WHXE7jZ'
                  Source: ServerManager.exe, WEkPluHJzmSxu7WhrqQ1sGmpx.csHigh entropy of concatenated method names: 'alP2pDAfQ0j3k1sj7mJBP697W', 'vTQSIj4ugwy6pAn8xlN8GtY8m', 'byk9Lrj6vGySSw0fG9J8TsbpS', 'wzjf8QmQoyBoVxjoLoHzMWiOz', '_4EIJjXuGuLIFttrXzHi62zPBb', 'VjpM7uqJ5h6j4DInBegm8Cgag', 'xfx3bO1k8yHn1mS4OfeAATr3W', 'Nl6ZnIujtJgyKgef1ap6BkD4P', 'xBii5Q0t3eYJPbIBBvOgZS8zP', 'NcJ8YT5a0rAQ6VIvkNfv4IThU'
                  Source: ServerManager.exe, MPcgcE6ZxEy4y4KZrPaumiTfDZEN43k4kSHPkMwvliWO4rstGifwK97BMZieZ7NtaK2XcKw3oFGLZ23RSKifrCOGHEFCqUtpEW.csHigh entropy of concatenated method names: 'C37QjebKdbP9YJ1hr5PZeOrPdA1J4laSqzppIgw9C3S1RPSvzvUfBdkRoEA3GxopRSqJv0gMPF7I2vbxjxm1Ny9ncJ8Hn4pk00', 'ZbWhUTW8MrzfMc61EXiwnmiMhUvhN0IDwGY5vDtC56R', 'rBLcvzxiPfMtcYmKatHXTdjU1gMTaf3nzyTbspLfmSU', 'hoinDa4h24qezH4SyksGK2kjypVL8ciJS1bclREIpN4', '_4ouDZUTy7zlhM1B9hWL08oNqZ2m1Gyg3jhLpjzF7IAp'
                  Source: Server Manager.exe.0.dr, 8gxPBxLoZ0upiH4kY4G3UFeNj.csHigh entropy of concatenated method names: 'xwAG7wVWsgyuMWVFfmhQlpN6K', 'GUVI1FZUu5IJVD3IwqzzaqABT', 'r8hjrb97CAUISNwkn9v1i4Oro', 'vYAEK3EH59ZAFswlzt7tPva5FTaMpAvq0e8CwXeOFJgAbKZgfxSwcHdTlXVI', 'C4kbaHOp385wS738ew26I1BZRbHBasMfmMXmnG2Gntqjo9fUCG6cQnbGcYPR', 'IYXtWDeckuPdNjmb95dCYtRhfMnObtoMrcbq0RncrLVZ0f1QsgviQPHJYwu3', 'yiDoTJ8an6tspWCHAcMIuxVLHyHRbPH054Xb2xqwJBCjL8vr4pZMXbaatK1V', '_25MITyhMxOExH2Qz6JSyS3u6x3JTmocCFcuo6348gsQgmZTtca3HtuDG1BFd', 'nztYpTbspTQ7EcQs6cGZODaJuAis3lxUokCJKuBoarT0M2hFLAWKpj8g9Tg3', 'fyIWSYwLNYEpscATO1plLdECqWVYOEFlz9HJILUndeQbBK4gB1yPI3HYqm0m'
                  Source: Server Manager.exe.0.dr, cAY1JHGrS6II4CSxqSolra4PBuAKeflv0.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_0mJ2vrUbPx6R1rlWfkmINRVm5', 'FZLAkv17bSijUTcATHoZ7r5ef', 'eCqHqhYcbmY9IEeSOn0Lz4cRb', 'vOh9vKLxTqbLtMCzHPBANx45t'
                  Source: Server Manager.exe.0.dr, vSWZ6fMkWTWQXdFdczNgejofSE0BF0rbzxYj9BY01bhlVNZAeRUf5ueU3Pgaba5MB.csHigh entropy of concatenated method names: 'huqXPBfLzpusoDzptx34oqD2bA0KwhCohpUNfZk7HVz0LAMG60UURRbmPnCeMuFGr', 'sGZTm8ss2UINPtVpM0Qo9vB3c6zESvcMlipX17ZJKvpj9pYuVoHjXTkPOTaDeBXhU', 'FE9vxI1PuXbpOwP0JKkxlAC811zowJEvCFlv0zbw3Ye9LkZ8ykmJBFn4T39CAnTCd', '_0MXWpdaDxF5hqmuXIj03KO2S53WjOze8ESQIOTeGlGa43S8YQ7Bh0uDKJoNdr7CUW', 'x6eTMMz8P4OL82Jn9FtbcHbeCErNrJekdSj65Rwax6GxiCW33A8KPpda5zX6EoEr4', 'E7uyHatDr1rKIYcvS6rRazxBCiDtXqJEvyEsxUHZbZGnuWOHpbxXJDJ9rNZE9lIPRcEGRiH5vq5IhOhZlYx9Tj3kk1enHIWQoh', 'R662gBE1qEe0XVBHPmzxIpJzR1YBMl2m1tfcctdZTJKZwPQPcgaJdKarKySknsuxujkKswIv08cmdksCFp9RMY2M8Q1dqK5vzl', 'wJNjIJiWcRaJRZCsww6NlarRpKdLA4jhGq3LknFJ8E2kHOmsXCd0kOo34n4r98aCgYrwfjMN8EJukXBRt2rL43unb4otX7zL68', 'GghHpWJqCHKDdiJZT1AGcBNvdBK27GvU09pI06hyzA03pV7zCnoxoXcbRSCqXCipPjv9CvplbKrcBtpUv35bbaQEnNWk0vnsmv', 'W7hBfPblHFapmXpnhYv3NLHsd1VRYreWO9Zf2kJb85XPKBiQROqjqNvwa5trn8EZktbsqqkr6FU3yP3Q4ErSgBFFpAa4rzLOEn'
                  Source: Server Manager.exe.0.dr, TBBsrpMOsnlGPWhUwLR0UqVtIEeIPqG8VOzJFdcD8V0QgjU85yIaylUOacsZU5dIziI729aK4gyH1mVoB0g.csHigh entropy of concatenated method names: '_0cKGbHl458dEXhwvCi8sYTtLb02DuEtBCb3dtdPs4tVX2Efgl2jVW0tOsLjyFvfXmEt7MynNDH1UepnuE60', 'fG0vUOXOLxvJMrIjYQnDzzi1JOvj1paVzb4I9swwpROT4svm1IWfb4gKBgCPDKdRTPquiZM5gZhsZXXHSrl', 'M5Y1vWtWDdSyjFEE8q9PrKbMtVy1LG4JN0MaKKT8CAPRbbaRMTTkmUIF34qRQBK6ksFJ8e0DobI8vjzUBvG', 'gSoQ2bNIMPp4mTUUxai5A4PdBrnO40bFn8LD2lIx8qtyxgPQPtpkAofQqxzHVz3xtmlG1sslsUL3QioP3q7', 'ruHjadlpc6oXSPXEa16gNcwfuv3sT13FeYw17uVItJd', 'r2IH4A4LYsBRVCksKwZ518Gi8tRL6rfZklohBRtlOCl', 'FprurO3uwglcoJcAOmhxWbb3gXYjaP8LA5B7fyqLj9G', 'fNDraAH93jR7tAOzW9VFAScHLdvoSDuoKnCzwY9Xg7K', 'Qtcu6lbXd5mvAwE7AzftfvqOTxC7LD0Qp6MTzwstxiP', 'lQNYx0FR6U2NK8XhPS4USKdaDh4MVcGsQ6KTFsa6a9j'
                  Source: Server Manager.exe.0.dr, YA10RSYRRniX8kQXEtZ2RhNM4Gck5eyyTae2EwZMFZ0pKPugKrRbYxrTUsRR7YWQVsp8ee86bf3yqlA0nqUe1LajeKT0MWUW9W.csHigh entropy of concatenated method names: 'P488koC6HpviZ49ksNTnJ8KgVG7K6tF3RteP3HPV296l2toTjJ94UCsmv3fhOlRzkdkv3cnl3I7IPh2h51oa2IzQ7BvHaaFq25', 'k3Xx678hk2uJOLlRAbjJqKP87wUr0xF2m5NfKl8zxB8Wafom9DLyDOunvnrrb617USqjNj0XlRJOZ9aNZPwpvDtZEgPRxZgZ5t', 'fXpiDD47BBS5jgxuGLn1LaOL8aAVVOJB7fGfx1mgnOyV6BSleuazJhKFJZhzOOmwiNtJpEIvc0OKBjDfe5kXOMEwpqiFS6ntka', 'GJILbNJnh6lT7bE97jcvkJMmxDowySTQgX7qA7IbMrroKzLteWtlLqNx5uL3FVf46W2kmmhECLWPtamI3Cf', 'x8iAeB2xpXDiBEs3odoVPSsYlfgofUOhWAfMtl15XvuicliXGfRRE8hVaya7kA5mvwrcYqw0fBNYxUcfemx', 'Az2CCCThLdKyAgJMwZGQyZSfaDmK8vi2WJgv29RHxhXD3bkStFo973IHMfoVg3O6gbG7KXcd5rVWfGQC25Q', 'fGnGcYUYzlJvmDSpK3PPZkYNrIOZIp4dUAYtSumJpW0jcKob6HlwbwUgoKr9VBqq2KivDahesftoCz0ozNu', 'luq0CLz8LPy31eG9ysPLFMYcKI3qiwU92VK58cEQdQAkf3B8hCOLpZAFufs9WNEyGcip6PUq8UTWOCNauWH', 'YNjBxxNVcsOjJkmY0xcC4bPJvkQqPoil2owdY5PBsfiQHs6heBIoITTAuhqRSMNT6oBc1EKFs1WMeFEpt0d', 'qYEJERNZwnAfX5SNRGoBcTWAC4K2Pj0IAi4QlqO6pUumJ2tXBSwKpIZbwbCwMZgY8uekiPplqLbHQ0OMhaF'
                  Source: Server Manager.exe.0.dr, z2JWD48iZkNLFgNd58g0x4ojAiCfmPG30sHSmJas1indA42NdNlI4yYsjqj7ruIxB.csHigh entropy of concatenated method names: 'Yo0dGngvzDwqllduWigLXJzlM9RL0w9T7GXYa7Og2G9WFs3XsOcvdPJNSIo5gKZeG', 'KKdIgvSmIa6uHSO7r6s7plRx6tL1Vmormt0y3qFFMki05Q9N2vK0EambJrRcwHG4b', '_47Ovb8KH3liGPOyY3Az3gp4K8mH3g4AWAz10E6Ogb5xYU6WangvvQfpCsjLW3AYTf', 'rgyCYLdjGxIbcUZYWDuciIsIyZb5n3L90RyQBWoDDRLvGGhfbOha2YUbpHCs155rZ', 'LzVFmTESN1tgO7oOCFZE5ko4Ido1byrWCAdAS3XUtzYYOiFDwl0ECHRwmh0S3Oiqo', 'CCtAx7svTdinvMEae2FjM3FzwLHAh8TN0Z601JK6ijqlB4M78sjg82AyIykwUtbYj', '_2llpCGAyXNHINuV02SCIjxuQJjQW3GNB6vIOVVOKTYCqPqTvUUVaUDRgd8NESMyVV', 'eEOFPnbWqcVQ0BXY751u1haVPeXMtZZM7430wGYZPprQ67TLZYrsHmAjLEpsEugpX', 'Vzo2gtyHXECPqnLsxeCZRoVzC2utD83fkXmguUaOjsdRq9LrHaMtboHCaj5OYciCm', 'Nm4mcWadJOZTYExIriiwxfyuBZVuzz881cOdQGelWVffgm79DEhwDDj4WKmw8OvdR'
                  Source: Server Manager.exe.0.dr, 5D5HiKNzbR9pwxEc23nNJsvFsVM2OT80R8euwIify5fYP4zQ9LzJulQXwAa4NZQ9l.csHigh entropy of concatenated method names: 'tB5WUAEgX7B6kZKxNPsqccXvIyZgRX9syegGXD7B3SCd0nsbu6EIYrdPR9Pw67n6p', 'cyZu1ViZD7Gj996vm7EW3BoC0sVhenIIPBMZZR6LJYv4GwYDDJD1pAfEEm9dSXgTz', '_0oHpi9OvPgLwU60rwTEbfAIAU0KFuXo3u6cb81820izputUMUXjW2arfy23QFSy5Z', 'Wl7mg8yUjcOgphvmMgXHEUAY7b2ybdxEGRswFE8fiDahJBvq8Bb2TdiazRaJiusR6', 'adivzlbzNQVqjU0n1uzbghfwzuN2ESxqRtKb734IdZpT7YBZMzK3p19cUUJKu2GZM', 'knkuOOUkDWrUioHrfJKYj7dLyrfx2YlQ0kcdnS4sbgxpgyUdN7O5IpvC6Wuv1MiEI', '_0T31D0BRdZPGKP2LabImBgmCAdKjjKpN34EWPdOZTWJKdn8KQ137B07MzH9fzYqzO', 'iGL31GrxOqqyn2Oubh69noUOXG7sLiC0j0i7B4CIhHWmVo2McN1QSvuXCJld7brY6', '_9YYou8bXjXiEKMosFgWwdesq21unfGITCvTYoZDeWQeKCY98YFe2gvJBFqYA6MzFN', 'nnY6kbrzTK8vy1nBUxezVRIKPh1kOUPiPjDDPDuPgKs7ZOibYrDQEHL4FhRUAyS3Z'
                  Source: Server Manager.exe.0.dr, gKMWDTMWUubM8SQzLZimtFgSgUsV0TnCCUu0IP8L9falxDA4MIUqy9Zm4EruvlYGBv86fzMr22NHAtk4xST.csHigh entropy of concatenated method names: 'vHzizXHycaVwwrBhPa7VmNE13', '_4pSdIVmMBFBjKSYBk9DctTJnEt5rEhXAzz3U4yz6PuYrp7OwIC5lBVsGb7V01uHvZi0nAe0Ohs2', 'iXa09HLTf3dZsRI2zOMj7Ci5tMVJcklpsUWt4DvMb1JlYh66NGckBnRm9o9gHknH5X8BbRDcnH9', 'OJCzCLvpFBvYvjboiJADJAbm2pBgI1uyawGu8Sf3LsDo5tv4YtYgcsdaQ9oGWx9wfaaEImMBwVa', 'vqH7k9GAMaZn8oRtVRAnNTsusK7g0WReLZfXrnT1fFi3k2jVcYO4JhJusG4YlLPtWcq9WHXE7jZ'
                  Source: Server Manager.exe.0.dr, WEkPluHJzmSxu7WhrqQ1sGmpx.csHigh entropy of concatenated method names: 'alP2pDAfQ0j3k1sj7mJBP697W', 'vTQSIj4ugwy6pAn8xlN8GtY8m', 'byk9Lrj6vGySSw0fG9J8TsbpS', 'wzjf8QmQoyBoVxjoLoHzMWiOz', '_4EIJjXuGuLIFttrXzHi62zPBb', 'VjpM7uqJ5h6j4DInBegm8Cgag', 'xfx3bO1k8yHn1mS4OfeAATr3W', 'Nl6ZnIujtJgyKgef1ap6BkD4P', 'xBii5Q0t3eYJPbIBBvOgZS8zP', 'NcJ8YT5a0rAQ6VIvkNfv4IThU'
                  Source: Server Manager.exe.0.dr, MPcgcE6ZxEy4y4KZrPaumiTfDZEN43k4kSHPkMwvliWO4rstGifwK97BMZieZ7NtaK2XcKw3oFGLZ23RSKifrCOGHEFCqUtpEW.csHigh entropy of concatenated method names: 'C37QjebKdbP9YJ1hr5PZeOrPdA1J4laSqzppIgw9C3S1RPSvzvUfBdkRoEA3GxopRSqJv0gMPF7I2vbxjxm1Ny9ncJ8Hn4pk00', 'ZbWhUTW8MrzfMc61EXiwnmiMhUvhN0IDwGY5vDtC56R', 'rBLcvzxiPfMtcYmKatHXTdjU1gMTaf3nzyTbspLfmSU', 'hoinDa4h24qezH4SyksGK2kjypVL8ciJS1bclREIpN4', '_4ouDZUTy7zlhM1B9hWL08oNqZ2m1Gyg3jhLpjzF7IAp'
                  Source: C:\Users\user\Desktop\ServerManager.exeFile created: C:\ProgramData\Server Manager.exeJump to dropped file
                  Source: C:\Users\user\Desktop\ServerManager.exeFile created: C:\ProgramData\Server Manager.exeJump to dropped file
                  Source: C:\Users\user\Desktop\ServerManager.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Server Manager.lnkJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Server Manager.lnkJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Server ManagerJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Server ManagerJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Server Manager.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Check if machine is in data center or colocation facility
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\ServerManager.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: ServerManager.exe, Server Manager.exe.0.drBinary or memory string: SBIEDLL.DLL3FNK2O4RW2ZWEMHZWCGSMYCHRI3FP3FSE5XST91ORNWTQ3Q2QRSQ3K4CIA1WB45KHVXO0KNHXO1V1L3ARJI4V1SXQFDRCMISMMZUEGSP3KEHQ2FOEOT4SRKKBZ8QKC0DEI3SIFQZYR1J02LPAOSNT3LOC8PV3TKSSVQ0TQ57ZG30CVS5ADPIFC35JFRAEJEOSO6B0WQZDGONIT3UU3UPKZCZLX47ROXIRLL3HS9SOAIFTYO6GZXOPTQLCSFLSJAPXTCDDMTNT8YUKQI83FEEU4ISAXC4WMLDQTO45IUZVPJ9IRLLPFBDJ6ZVTZPIZHKCXEQY88UCJ3AXHEMRTIE0ODJGZWPQGD90BK2WOHW1QKPHMQNKLPCN0AJSCE7R9TLT5UHZTYUBHGLUX598WDCWTX0ZFFGEWUVQLPPQHRMCHMAZH2E7NKOG9A0UXVSNUQNA7LEH2INNCNIQCN3DVFKVDZ70T0U7LUNZ2XNSOEAPMFL53TQILEBDNDMUUR5VEENO8YT1TA27UUKDCS21CG2L1PKPB9F2EFCN0GNQX1OPVA7RYIBI6WINFO
                  Source: ServerManager.exe, 00000000.00000002.3329175843.0000000003331000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\ServerManager.exeMemory allocated: 1480000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeMemory allocated: 1B330000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Server Manager.exeMemory allocated: E80000 memory reserve | memory write watch
                  Source: C:\ProgramData\Server Manager.exeMemory allocated: 1ABE0000 memory reserve | memory write watch
                  Source: C:\ProgramData\Server Manager.exeMemory allocated: D70000 memory reserve | memory write watch
                  Source: C:\ProgramData\Server Manager.exeMemory allocated: 1AAE0000 memory reserve | memory write watch
                  Source: C:\Users\user\Desktop\ServerManager.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\ProgramData\Server Manager.exeThread delayed: delay time: 922337203685477
                  Source: C:\ProgramData\Server Manager.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\ServerManager.exeWindow / User API: threadDelayed 8123Jump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeWindow / User API: threadDelayed 1715Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6378Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3349Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5768Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3879Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6201Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3416Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7270
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2331
                  Source: C:\Users\user\Desktop\ServerManager.exe TID: 5144Thread sleep time: -26747778906878833s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5980Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7000Thread sleep count: 5768 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3488Thread sleep count: 3879 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6060Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3468Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6804Thread sleep count: 7270 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 640Thread sleep count: 2331 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6908Thread sleep time: -2767011611056431s >= -30000s
                  Source: C:\ProgramData\Server Manager.exe TID: 5464Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\ProgramData\Server Manager.exe TID: 6756Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\ServerManager.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                  Source: C:\Users\user\Desktop\ServerManager.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\ProgramData\Server Manager.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\ProgramData\Server Manager.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\Desktop\ServerManager.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\ProgramData\Server Manager.exeThread delayed: delay time: 922337203685477
                  Source: C:\ProgramData\Server Manager.exeThread delayed: delay time: 922337203685477
                  Source: Server Manager.exe.0.drBinary or memory string: vmware
                  Source: Server Manager.exe.0.drBinary or memory string: 0BlCLvXKpPXDBA5W9MeICj7NRWJf57RNYtpWVcNWpYKbaFWaVXIlCdFTu0roifTFsVMCItc5uCI
                  Source: ServerManager.exe, 00000000.00000002.3365778342.000000001BFF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                  Source: C:\Users\user\Desktop\ServerManager.exeCode function: 0_2_00007FFD346873F0 CheckRemoteDebuggerPresent,0_2_00007FFD346873F0
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\ServerManager.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ServerManager.exe'
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Server Manager.exe'
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ServerManager.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Server Manager.exe'Jump to behavior
                  Bypasses PowerShell execution policy
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ServerManager.exe'
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ServerManager.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ServerManager.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Server Manager.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Server Manager.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeQueries volume information: C:\Users\user\Desktop\ServerManager.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\ServerManager.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                  Source: C:\ProgramData\Server Manager.exeQueries volume information: C:\ProgramData\Server Manager.exe VolumeInformation
                  Source: C:\ProgramData\Server Manager.exeQueries volume information: C:\ProgramData\Server Manager.exe VolumeInformation
                  Source: C:\Users\user\Desktop\ServerManager.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: ServerManager.exe, 00000000.00000002.3365778342.000000001C085000.00000004.00000020.00020000.00000000.sdmp, ServerManager.exe, 00000000.00000002.3365778342.000000001BFF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Users\user\Desktop\ServerManager.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected XWorm
                  Source: Yara matchFile source: ServerManager.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.ServerManager.exe.e20000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.2081731281.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.3362478674.0000000013342000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.3329175843.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: ServerManager.exe PID: 1280, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\Server Manager.exe, type: DROPPED

                  Remote Access Functionality

                  barindex
                  Yara detected XWorm
                  Source: Yara matchFile source: ServerManager.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.ServerManager.exe.e20000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.2081731281.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.3362478674.0000000013342000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.3329175843.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: ServerManager.exe PID: 1280, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\Server Manager.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                  Windows Management Instrumentation                  		21
                  Registry Run Keys / Startup Folder                  		11
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping541
                  Security Software Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  PowerShell                  		1
                  DLL Side-Loading                  		21
                  Registry Run Keys / Startup Folder                  		11
                  Disable or Modify Tools                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  DLL Side-Loading                  		151
                  Virtualization/Sandbox Evasion                  		Security Account Manager151
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Ingress Tool Transfer                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                  Process Injection                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  System Network Configuration Discovery                  		SSHKeylogging12
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                  Obfuscated Files or Information                  		Cached Domain Credentials1
                  File and Directory Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                  Software Packing                  		DCSync23
                  System Information Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  DLL Side-Loading                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465856 Sample: ServerManager.exe Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 36 ip-api.com 2->36 44 Snort IDS alert for network traffic 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 16 other signatures 2->50 8 ServerManager.exe 15 6 2->8         started        13 Server Manager.exe 2->13         started        15 Server Manager.exe 2->15         started        signatures3 process4 dnsIp5 38 ip-api.com 208.95.112.1, 49710, 80 TUT-ASUS United States 8->38 40 89.213.177.81, 56136, 7000 EDGEtaGCIComGB United Kingdom 8->40 34 C:\ProgramData\Server Manager.exe, PE32 8->34 dropped 52 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->52 54 Protects its processes via BreakOnTermination flag 8->54 56 Bypasses PowerShell execution policy 8->56 58 3 other signatures 8->58 17 powershell.exe 23 8->17         started        20 powershell.exe 23 8->20         started        22 powershell.exe 23 8->22         started        24 powershell.exe 8->24         started        file6 signatures7 process8 signatures9 42 Loading BitLocker PowerShell Module 17->42 26 conhost.exe 17->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        process10

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  ServerManager.exe65%VirustotalBrowse
                  ServerManager.exe100%AviraTR/Spy.Gen
                  ServerManager.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\ProgramData\Server Manager.exe100%AviraTR/Spy.Gen
                  C:\ProgramData\Server Manager.exe100%Joe Sandbox ML
                  C:\ProgramData\Server Manager.exe74%ReversingLabsByteCode-MSIL.Trojan.AsyncRAT
                  C:\ProgramData\Server Manager.exe65%VirustotalBrowse

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  ip-api.com0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://nuget.org/NuGet.exe0%URL Reputationsafe
                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                  http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                  http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
                  http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                  https://contoso.com/0%URL Reputationsafe
                  https://nuget.org/nuget.exe0%URL Reputationsafe
                  https://contoso.com/License0%URL Reputationsafe
                  https://contoso.com/Icon0%URL Reputationsafe
                  https://aka.ms/pscore680%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                  https://ion=v4.5mConsumer0%Avira URL Cloudsafe
                  89.213.177.810%Avira URL Cloudsafe
                  http://www.micom/pkiops/Docs/ry.htm00%Avira URL Cloudsafe
                  http://crl.micft.cMicRosof0%Avira URL Cloudsafe
                  http://crl.mic0%Avira URL Cloudsafe
                  https://github.com/Pester/Pester0%Avira URL Cloudsafe
                  http://crl.micros0%Avira URL Cloudsafe
                  https://github.com/Pester/Pester1%VirustotalBrowse
                  89.213.177.812%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  ip-api.com
                  		208.95.112.1
                  		truetrueunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  89.213.177.81true
                  • 2%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://ip-api.com/line/?fields=hostingfalse
                  • URL Reputation: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2166138809.000002D9D56A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2251088379.000001D51F422000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2390912790.0000021AD91E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2573055625.000001BD115D1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://ion=v4.5mConsumerpowershell.exe, 00000008.00000002.2405649577.0000021AE14C2000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000C.00000002.2441830023.000001BD017FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2441830023.000001BD017B3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2149714407.000002D9C5859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2199861724.000001D50F5D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2302461794.0000021AC939A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2441830023.000001BD0185C000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000C.00000002.2441830023.000001BD017B3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2149714407.000002D9C5859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2199861724.000001D50F5D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2302461794.0000021AC939A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2441830023.000001BD0185C000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 00000005.00000002.2264147959.000001D527B89000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/powershell.exe, 0000000C.00000002.2573055625.000001BD115D1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2166138809.000002D9D56A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2251088379.000001D51F422000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2390912790.0000021AD91E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2573055625.000001BD115D1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 0000000C.00000002.2573055625.000001BD115D1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://crl.micpowershell.exe, 00000005.00000002.2264839468.000001D527C46000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2405649577.0000021AE1501000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 0000000C.00000002.2573055625.000001BD115D1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://crl.micft.cMicRosofpowershell.exe, 00000005.00000002.2264839468.000001D527C46000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2405649577.0000021AE1501000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://aka.ms/pscore68powershell.exe, 00000002.00000002.2149714407.000002D9C5631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2199861724.000001D50F3B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2302461794.0000021AC9171000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2441830023.000001BD01561000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameServerManager.exe, 00000000.00000002.3329175843.0000000003331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2149714407.000002D9C5631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2199861724.000001D50F3B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2302461794.0000021AC9171000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2441830023.000001BD01561000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/Pester/Pesterpowershell.exe, 0000000C.00000002.2441830023.000001BD017B3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crl.microspowershell.exe, 00000002.00000002.2173832190.000002D9DDE1E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  208.95.112.1
                  		ip-api.comUnited States
                  		53334TUT-ASUStrue
                  89.213.177.81
                  		unknownUnited Kingdom
                  		8851EDGEtaGCIComGBtrue

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1465856
                  Start date and time:2024-07-02 07:36:10 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 6m 2s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:18
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:ServerManager.exe
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@15/21@1/2
                  EGA Information:Failed
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 81
                  • Number of non-executed functions: 9
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtCreateKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  01:37:02API Interceptor49x Sleep call for process: powershell.exe modified
                  01:37:57API Interceptor407604x Sleep call for process: ServerManager.exe modified
                  07:37:53AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Server Manager C:\ProgramData\Server Manager.exe
                  07:38:01AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Server Manager C:\ProgramData\Server Manager.exe
                  07:38:10AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Server Manager.lnk

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  208.95.112.1F.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                  • ip-api.com/line/?fields=hosting
                  x.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                  • ip-api.com/line/?fields=hosting
                  java_update.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                  • ip-api.com/line/?fields=hosting
                  Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                  • ip-api.com/json/
                  x433.exeGet hashmaliciousXWormBrowse
                  • ip-api.com/line/?fields=hosting
                  DriverUpdt.exeGet hashmaliciousXWormBrowse
                  • ip-api.com/line/?fields=hosting
                  rinvoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • ip-api.com/line/?fields=hosting
                  rQuotation.exeGet hashmaliciousAgentTeslaBrowse
                  • ip-api.com/line/?fields=hosting
                  8f5WsFcnTc.exeGet hashmaliciousAgentTeslaBrowse
                  • ip-api.com/line/?fields=hosting
                  ZkqNrYh5cV.exeGet hashmaliciousAgentTeslaBrowse
                  • ip-api.com/line/?fields=hosting

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  ip-api.comF.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                  • 208.95.112.1
                  x.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                  • 208.95.112.1
                  java_update.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                  • 208.95.112.1
                  Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                  • 208.95.112.1
                  x433.exeGet hashmaliciousXWormBrowse
                  • 208.95.112.1
                  DriverUpdt.exeGet hashmaliciousXWormBrowse
                  • 208.95.112.1
                  rinvoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 208.95.112.1
                  rQuotation.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  8f5WsFcnTc.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  ZkqNrYh5cV.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  EDGEtaGCIComGBf6RyWmGZLw.elfGet hashmaliciousUnknownBrowse
                  • 217.144.153.241
                  c5018a3915e8a9de41e083f7936c2d232b9a73ba41c8c07fb7b2d90d5f5d8e8e_dump.exeGet hashmaliciousSystemBCBrowse
                  • 185.20.35.63
                  https://nom9er.gouwo.eu/Get hashmaliciousUnknownBrowse
                  • 212.38.95.10
                  Pb0GaINSjK.elfGet hashmaliciousMiraiBrowse
                  • 77.107.107.199
                  t4p0nt07.x86.elfGet hashmaliciousMiraiBrowse
                  • 217.144.153.219
                  https://erzincanaktastaksi.com/20/w2_2023_Up.zipGet hashmaliciousXWormBrowse
                  • 185.49.126.37
                  https://cdn1.filehaus.su/files/6634f9beb74d4.txtGet hashmaliciousUnknownBrowse
                  • 89.213.174.100
                  https://cdn1.filehaus.su/files/6634f9beb74d4.txtGet hashmaliciousUnknownBrowse
                  • 89.213.174.100
                  rfB3bYVoxB.elfGet hashmaliciousMiraiBrowse
                  • 89.213.248.27
                  x2tgARMXmA.elfGet hashmaliciousMirai, GafgytBrowse
                  • 217.144.153.212
                  TUT-ASUSF.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                  • 208.95.112.1
                  x.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                  • 208.95.112.1
                  java_update.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                  • 208.95.112.1
                  Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                  • 208.95.112.1
                  x433.exeGet hashmaliciousXWormBrowse
                  • 208.95.112.1
                  DriverUpdt.exeGet hashmaliciousXWormBrowse
                  • 208.95.112.1
                  rinvoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 208.95.112.1
                  rQuotation.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  8f5WsFcnTc.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  ZkqNrYh5cV.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\ProgramData\Server Manager.exe

                  Download File
                  Process:C:\Users\user\Desktop\ServerManager.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):187904
                  Entropy (8bit):4.872603519857264
                  Encrypted:false
                  SSDEEP:1536:NJT04P1KoDnQvgZqsrqb7arwkB3Shw6nX9tOQVgAuNEb:nxggkuqb7Yh9ShhOQVgjNEb
                  MD5:C5B7998C5908E5A4742674DBFDA9FFB8
                  SHA1:3F1D2D30D7D602DCC193E0EB52AA5893A6E2D69B
                  SHA-256:9F727BCE5E9E5FA25B4E97322A77FB7D73C16F9C220955EC16661892D72BC6EA
                  SHA-512:44DA71CF85F8489EE075E340CE111E85C587905098FD6D1FCD4066EBF318C06E2BBE4131CC059DC93178E74F5A4D4EE0371EBF89A22BD7F9135265AEAC8294FD
                  Malicious:true
                  Yara Hits:
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\Server Manager.exe, Author: Joe Security
                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\Server Manager.exe, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\Server Manager.exe, Author: ditekSHen
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 74%
                  • Antivirus: Virustotal, Detection: 65%, Browse
                  Reputation:low
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....~f.................B..........^`... ........@.. .......................@............@..................................`..K.......&.................... ....................................................... ............... ..H............text...d@... ...B.................. ..`.rsrc...&............D..............@..@.reloc....... ......................@..B................@`......H........b.. .......&.....................................................(....*.r...p*. ~.H.*..(....*.r5..p*. ..e.*.s.........s.........s.........s.........*.ri..p*. ...*.r...p*. ...*.r...p*. ....*.r...p*. .=..*.r9..p*. E/..*..((...*.rc..p*.r...p*. ....*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Y...*"(....+.*&(....&+.*.+5sj... .... .'..ok...(,...~....-.(_...(Q...~....ol...&.-.*.r...p*. ....*.rA..p*. .\=.*.ru..p*. .(T.*.r...p*. ..[.*.r...p*. B...*.r...p*. "Y..*.rE..p*.ry.

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Server Manager.exe.log

                  Download File
                  Process:C:\ProgramData\Server Manager.exe
                  File Type:CSV text
                  Category:dropped
                  Size (bytes):654
                  Entropy (8bit):5.380476433908377
                  Encrypted:false
                  SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                  MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                  SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                  SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                  SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:modified
                  Size (bytes):64
                  Entropy (8bit):0.34726597513537405
                  Encrypted:false
                  SSDEEP:3:Nlll:Nll
                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                  Malicious:false
                  Reputation:high, very likely benign file
                  Preview:@...e...........................................................

                  C:\Users\user\AppData\Local\Temp\Log.tmp

                  Download File
                  Process:C:\Users\user\Desktop\ServerManager.exe
                  File Type:Generic INItialization configuration [WIN]
                  Category:dropped
                  Size (bytes):64
                  Entropy (8bit):3.6722687970803873
                  Encrypted:false
                  SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
                  MD5:DE63D53293EBACE29F3F54832D739D40
                  SHA1:1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
                  SHA-256:A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
                  SHA-512:10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
                  Malicious:false
                  Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_03ub440h.spu.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1s1x41c4.yx3.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bfelk4g0.w2n.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bu2srmpn.be1.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d2rcdjyt.4ld.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ecmchfxq.k3c.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f04iqpyq.ti4.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fxvdo4lg.vhj.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lnfmr250.lhs.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lueoyisi.xdv.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_va1qowu1.eyr.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vwlqk5zu.imz.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wwzxyr4i.ahu.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xadqwjz0.zja.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y33vvror.xr1.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yqggigke.u15.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Server Manager.lnk

                  Download File
                  Process:C:\Users\user\Desktop\ServerManager.exe
                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Jul 2 04:37:53 2024, mtime=Tue Jul 2 04:37:53 2024, atime=Tue Jul 2 04:37:53 2024, length=187904, window=hide
                  Category:dropped
                  Size (bytes):700
                  Entropy (8bit):4.578804566913453
                  Encrypted:false
                  SSDEEP:12:85EEhnKxRcVO6keQLl2vS/djAylFJtQb99/9hUup2u9mV:8DnggkKvyZAydtk917Ut6m
                  MD5:541735F2EF3721BF2093A08FA140D011
                  SHA1:BE4E4D53EAA148FB772227AEE3FC2B6121D826C6
                  SHA-256:04EBA3D8D4BFFB2E77AC0EAE831E8B22AA9D88B240E3C1EC68CDF5A38BF7DB87
                  SHA-512:B3CDC5EF169C74CBB7CCAB4B5684DC7DEBA5CD872F8B3E5544E4558D6BC92560B13A5CA499A9820365610704B50100680DFC6365F181AABB8635A286FC1125FB
                  Malicious:false
                  Preview:L..................F.... ...{..A....{..A....{..A................................P.O. .:i.....+00.../C:\...................`.1......X.,. PROGRA~3..H......O.I.X.,....g.........................P.r.o.g.r.a.m.D.a.t.a.....r.2......X., SERVER~1.EXE..V.......X.,.X.,..........................:iq.S.e.r.v.e.r. .M.a.n.a.g.e.r...e.x.e.......P...............-.......O............C7......C:\ProgramData\Server Manager.exe..9.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.S.e.r.v.e.r. .M.a.n.a.g.e.r...e.x.e.`.......X.......715575...........hT..CrF.f4... ..KV/58...-...-$..hT..CrF.f4... ..KV/58...-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):4.872603519857264
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  • Win32 Executable (generic) a (10002005/4) 49.78%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  • DOS Executable Generic (2002/1) 0.01%
                  File name:ServerManager.exe
                  File size:187'904 bytes
                  MD5:c5b7998c5908e5a4742674dbfda9ffb8
                  SHA1:3f1d2d30d7d602dcc193e0eb52aa5893a6e2d69b
                  SHA256:9f727bce5e9e5fa25b4e97322a77fb7d73c16f9c220955ec16661892d72bc6ea
                  SHA512:44da71cf85f8489ee075e340ce111e85c587905098fd6d1fcd4066ebf318c06e2bbe4131cc059dc93178e74f5a4d4ee0371ebf89a22bd7f9135265aeac8294fd
                  SSDEEP:1536:NJT04P1KoDnQvgZqsrqb7arwkB3Shw6nX9tOQVgAuNEb:nxggkuqb7Yh9ShhOQVgjNEb
                  TLSH:4A04F4DB6E9442B7D3ADFA7009B3733D872FA93E6BC38E0EA44B2E49173254C8940554
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....~f.................B..........^`... ........@.. .......................@............@................................

                  File Icon

                  Icon Hash:8e172d4461e84423

                  Static PE Info

                  General

                  Entrypoint:0x41605e
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0x667E9EC2 [Fri Jun 28 11:30:10 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x160100x4b.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x180000x19726.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x320000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000x140640x14200a223fe8e632fab1e46abcda7fbd849ffFalse0.6150281444099379data6.058661769627927IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rsrc0x180000x197260x198005178dfed9c6f93ccc5ce7f0897c8916dFalse0.07735906862745098data3.077879205406427IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x320000xc0x2007a66a6a9640011e2441ce34f190febd7False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_ICON0x182200xb5bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9205366357069144
                  RT_ICON0x18d7c0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 655360.02651425529397847
                  RT_ICON0x295a40x4228Device independent bitmap graphic, 64 x 128 x 32, image size 163840.06004959848842702
                  RT_ICON0x2d7cc0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.1004149377593361
                  RT_ICON0x2fd740x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.13062851782363977
                  RT_ICON0x30e1c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.27925531914893614
                  RT_GROUP_ICON0x312840x5adata0.7333333333333333
                  RT_VERSION0x312e00x25cdata0.46357615894039733
                  RT_MANIFEST0x3153c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  07/02/24-07:38:23.603448TCP2855924ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound561367000192.168.2.689.213.177.81
                  07/02/24-07:38:51.103158TCP2852874ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M270005613689.213.177.81192.168.2.6
                  07/02/24-07:39:08.029867TCP2852923ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)561367000192.168.2.689.213.177.81
                  07/02/24-07:39:08.027108TCP2852870ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes70005613689.213.177.81192.168.2.6

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 2, 2024 07:37:02.186708927 CEST4971080192.168.2.6208.95.112.1
                  Jul 2, 2024 07:37:02.192044973 CEST8049710208.95.112.1192.168.2.6
                  Jul 2, 2024 07:37:02.192120075 CEST4971080192.168.2.6208.95.112.1
                  Jul 2, 2024 07:37:02.193074942 CEST4971080192.168.2.6208.95.112.1
                  Jul 2, 2024 07:37:02.198581934 CEST8049710208.95.112.1192.168.2.6
                  Jul 2, 2024 07:37:02.670258045 CEST8049710208.95.112.1192.168.2.6
                  Jul 2, 2024 07:37:02.712174892 CEST4971080192.168.2.6208.95.112.1
                  Jul 2, 2024 07:37:59.127157927 CEST561367000192.168.2.689.213.177.81
                  Jul 2, 2024 07:37:59.132117987 CEST70005613689.213.177.81192.168.2.6
                  Jul 2, 2024 07:37:59.132196903 CEST561367000192.168.2.689.213.177.81
                  Jul 2, 2024 07:37:59.170763016 CEST561367000192.168.2.689.213.177.81
                  Jul 2, 2024 07:37:59.175590992 CEST70005613689.213.177.81192.168.2.6
                  Jul 2, 2024 07:38:11.423892021 CEST561367000192.168.2.689.213.177.81
                  Jul 2, 2024 07:38:11.428968906 CEST70005613689.213.177.81192.168.2.6
                  Jul 2, 2024 07:38:11.797482014 CEST70005613689.213.177.81192.168.2.6
                  Jul 2, 2024 07:38:11.837260962 CEST561367000192.168.2.689.213.177.81
                  Jul 2, 2024 07:38:12.006206036 CEST561367000192.168.2.689.213.177.81
                  Jul 2, 2024 07:38:12.233167887 CEST70005613689.213.177.81192.168.2.6
                  Jul 2, 2024 07:38:13.104115963 CEST8049710208.95.112.1192.168.2.6
                  Jul 2, 2024 07:38:13.104283094 CEST4971080192.168.2.6208.95.112.1
                  Jul 2, 2024 07:38:20.112732887 CEST70005613689.213.177.81192.168.2.6
                  Jul 2, 2024 07:38:20.165509939 CEST561367000192.168.2.689.213.177.81
                  Jul 2, 2024 07:38:23.603447914 CEST561367000192.168.2.689.213.177.81
                  Jul 2, 2024 07:38:23.609848976 CEST70005613689.213.177.81192.168.2.6
                  Jul 2, 2024 07:38:23.981782913 CEST70005613689.213.177.81192.168.2.6
                  Jul 2, 2024 07:38:23.983206987 CEST561367000192.168.2.689.213.177.81
                  Jul 2, 2024 07:38:23.988061905 CEST70005613689.213.177.81192.168.2.6
                  Jul 2, 2024 07:38:35.806611061 CEST561367000192.168.2.689.213.177.81
                  Jul 2, 2024 07:38:35.811499119 CEST70005613689.213.177.81192.168.2.6
                  Jul 2, 2024 07:38:36.184058905 CEST70005613689.213.177.81192.168.2.6
                  Jul 2, 2024 07:38:36.186419964 CEST561367000192.168.2.689.213.177.81
                  Jul 2, 2024 07:38:36.191343069 CEST70005613689.213.177.81192.168.2.6
                  Jul 2, 2024 07:38:42.683607101 CEST4971080192.168.2.6208.95.112.1
                  Jul 2, 2024 07:38:42.688354015 CEST8049710208.95.112.1192.168.2.6
                  Jul 2, 2024 07:38:48.009576082 CEST561367000192.168.2.689.213.177.81
                  Jul 2, 2024 07:38:48.014642954 CEST70005613689.213.177.81192.168.2.6
                  Jul 2, 2024 07:38:48.386667967 CEST70005613689.213.177.81192.168.2.6
                  Jul 2, 2024 07:38:48.388600111 CEST561367000192.168.2.689.213.177.81
                  Jul 2, 2024 07:38:48.393491030 CEST70005613689.213.177.81192.168.2.6
                  Jul 2, 2024 07:38:51.098949909 CEST70005613689.213.177.81192.168.2.6
                  Jul 2, 2024 07:38:51.101944923 CEST70005613689.213.177.81192.168.2.6
                  Jul 2, 2024 07:38:51.101989985 CEST561367000192.168.2.689.213.177.81
                  Jul 2, 2024 07:38:51.102725983 CEST70005613689.213.177.81192.168.2.6
                  Jul 2, 2024 07:38:51.102766991 CEST561367000192.168.2.689.213.177.81
                  Jul 2, 2024 07:38:51.103157997 CEST70005613689.213.177.81192.168.2.6
                  Jul 2, 2024 07:38:51.103194952 CEST561367000192.168.2.689.213.177.81
                  Jul 2, 2024 07:39:00.215231895 CEST561367000192.168.2.689.213.177.81
                  Jul 2, 2024 07:39:00.220067024 CEST70005613689.213.177.81192.168.2.6
                  Jul 2, 2024 07:39:00.748903990 CEST70005613689.213.177.81192.168.2.6
                  Jul 2, 2024 07:39:00.751046896 CEST561367000192.168.2.689.213.177.81
                  Jul 2, 2024 07:39:00.755836010 CEST70005613689.213.177.81192.168.2.6
                  Jul 2, 2024 07:39:01.307678938 CEST561367000192.168.2.689.213.177.81
                  Jul 2, 2024 07:39:01.312505960 CEST70005613689.213.177.81192.168.2.6
                  Jul 2, 2024 07:39:02.426879883 CEST70005613689.213.177.81192.168.2.6
                  Jul 2, 2024 07:39:02.428951025 CEST561367000192.168.2.689.213.177.81
                  Jul 2, 2024 07:39:02.433713913 CEST70005613689.213.177.81192.168.2.6
                  Jul 2, 2024 07:39:07.650022984 CEST561367000192.168.2.689.213.177.81
                  Jul 2, 2024 07:39:07.654822111 CEST70005613689.213.177.81192.168.2.6
                  Jul 2, 2024 07:39:08.027107954 CEST70005613689.213.177.81192.168.2.6
                  Jul 2, 2024 07:39:08.029866934 CEST561367000192.168.2.689.213.177.81
                  Jul 2, 2024 07:39:08.034682989 CEST70005613689.213.177.81192.168.2.6

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 2, 2024 07:37:02.169657946 CEST6423653192.168.2.61.1.1.1
                  Jul 2, 2024 07:37:02.178483009 CEST53642361.1.1.1192.168.2.6
                  Jul 2, 2024 07:37:19.000540018 CEST53565921.1.1.1192.168.2.6

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Jul 2, 2024 07:37:02.169657946 CEST192.168.2.61.1.1.10xb8f3Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Jul 2, 2024 07:37:02.178483009 CEST1.1.1.1192.168.2.60xb8f3No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • ip-api.com

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.649710208.95.112.1801280C:\Users\user\Desktop\ServerManager.exe
                  TimestampBytes transferredDirectionData
                  Jul 2, 2024 07:37:02.193074942 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                  Host: ip-api.com
                  Connection: Keep-Alive
                  Jul 2, 2024 07:37:02.670258045 CEST175INHTTP/1.1 200 OK
                  Date: Tue, 02 Jul 2024 05:37:02 GMT
                  Content-Type: text/plain; charset=utf-8
                  Content-Length: 6
                  Access-Control-Allow-Origin: *
                  X-Ttl: 53
                  X-Rl: 43
                  Data Raw: 66 61 6c 73 65 0a
                  Data Ascii: false


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:01:36:57
                  Start date:02/07/2024
                  Path:C:\Users\user\Desktop\ServerManager.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Users\user\Desktop\ServerManager.exe"
                  Imagebase:0xe20000
                  File size:187'904 bytes
                  MD5 hash:C5B7998C5908E5A4742674DBFDA9FFB8
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2081731281.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2081731281.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3362478674.0000000013342000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.3362478674.0000000013342000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3329175843.0000000003331000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:false

                  General

                  Target ID:2
                  Start time:01:37:01
                  Start date:02/07/2024
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ServerManager.exe'
                  Imagebase:0x7ff6e3d50000
                  File size:452'608 bytes
                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:3
                  Start time:01:37:01
                  Start date:02/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff66e660000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:5
                  Start time:01:37:07
                  Start date:02/07/2024
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ServerManager.exe'
                  Imagebase:0x7ff6e3d50000
                  File size:452'608 bytes
                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:6
                  Start time:01:37:07
                  Start date:02/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff66e660000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:8
                  Start time:01:37:16
                  Start date:02/07/2024
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Server Manager.exe'
                  Imagebase:0x7ff6e3d50000
                  File size:452'608 bytes
                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:9
                  Start time:01:37:16
                  Start date:02/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff66e660000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:12
                  Start time:01:37:31
                  Start date:02/07/2024
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Server Manager.exe'
                  Imagebase:0x7ff6e3d50000
                  File size:452'608 bytes
                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:13
                  Start time:01:37:31
                  Start date:02/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff66e660000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:16
                  Start time:01:38:01
                  Start date:02/07/2024
                  Path:C:\ProgramData\Server Manager.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\ProgramData\Server Manager.exe"
                  Imagebase:0x9e0000
                  File size:187'904 bytes
                  MD5 hash:C5B7998C5908E5A4742674DBFDA9FFB8
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\Server Manager.exe, Author: Joe Security
                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\Server Manager.exe, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\Server Manager.exe, Author: ditekSHen
                  Antivirus matches:
                  • Detection: 100%, Avira
                  • Detection: 100%, Joe Sandbox ML
                  • Detection: 74%, ReversingLabs
                  • Detection: 65%, Virustotal, Browse
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:17
                  Start time:01:38:10
                  Start date:02/07/2024
                  Path:C:\ProgramData\Server Manager.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\ProgramData\Server Manager.exe"
                  Imagebase:0x8c0000
                  File size:187'904 bytes
                  MD5 hash:C5B7998C5908E5A4742674DBFDA9FFB8
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  Disassembly

                  Reset < >

                    Executed Functions

                    Function 00007FFD346816DE Relevance: 1.9, Strings: 1, Instructions: 640COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3372625534.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: CAM_^
                    • API String ID: 0-3136481660
                    • Opcode ID: 55869c6561048625eb54be728880b1170510489ba1537698b6cab7ebc5c4ed82
                    • Instruction ID: 8e6359527a67d418e5e64a09b2b1632de62ad0d8d1c8b2469171a6ca152d3818
                    • Opcode Fuzzy Hash: 55869c6561048625eb54be728880b1170510489ba1537698b6cab7ebc5c4ed82
                    • Instruction Fuzzy Hash: A012E260B29B5A4FE7A8FB6884B92F977D2EF99305F444579E04EC32D3DD2CA8418341
                    Function 00007FFD34681719 Relevance: 1.8, Strings: 1, Instructions: 577COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3372625534.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: CAM_^
                    • API String ID: 0-3136481660
                    • Opcode ID: 18f771f1c5771dc046d0592f5baf1be994c99a811e005bac450b536c3a145461
                    • Instruction ID: 5b6ece2d66677531f4ce5b98ef4cb02030da0206ad608169f9d7a00684c705fd
                    • Opcode Fuzzy Hash: 18f771f1c5771dc046d0592f5baf1be994c99a811e005bac450b536c3a145461
                    • Instruction Fuzzy Hash: 7302C160B29B5A4FE7A8FB6884B92F977D2EF99305F404579E04EC32D3DD2CA8418741
                    Function 00007FFD346873F0 Relevance: 1.7, APIs: 1, Instructions: 178COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.3372625534.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID: CheckDebuggerPresentRemote
                    • String ID:
                    • API String ID: 3662101638-0
                    • Opcode ID: 9e571e9ba848e57338cbf49b1684a208f87bdd7f6a39e03d771ca47540786fa3
                    • Instruction ID: fb915d3bfbf8d2f3bb54a41c003adca1c4f385bf736698c185778abcf4741d9b
                    • Opcode Fuzzy Hash: 9e571e9ba848e57338cbf49b1684a208f87bdd7f6a39e03d771ca47540786fa3
                    • Instruction Fuzzy Hash: CB515A31D0C7688FDB59DFAC88563F97BE0EF66321F04426BC489D7192DA34A816C791
                    Function 00007FFD34685EE6 Relevance: .5, Instructions: 470COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.3372625534.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f7127a75078dab4915950e3f9873f06705bae827ecc66ebdc26026acf70b50d7
                    • Instruction ID: ac5f5b39a4298dcedad88eaab665b42a5b833aae422e3a0366dea82833bd8599
                    • Opcode Fuzzy Hash: f7127a75078dab4915950e3f9873f06705bae827ecc66ebdc26026acf70b50d7
                    • Instruction Fuzzy Hash: 62F1A730A08A4D8FEBA8DF28C8657E977E1FF55311F04426EE84DC7291DF7899458B81
                    Function 00007FFD34686C92 Relevance: .5, Instructions: 455COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.3372625534.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 047722266c2338890456d5eda92ab556ec67510a2512991d16d1143a2539910f
                    • Instruction ID: 9fc27dacfe1e236dad43da57ec09f31971f22d19a638ca0b9dfe4356da45e431
                    • Opcode Fuzzy Hash: 047722266c2338890456d5eda92ab556ec67510a2512991d16d1143a2539910f
                    • Instruction Fuzzy Hash: F9E1A530A08A4D8FEBA8DF28C8957E977E1FF55311F14426EE84DC7291DF78A8458B81
                    Function 00007FFD346821B1 Relevance: .4, Instructions: 394COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.3372625534.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3866eb84711464799bfdd3d8675d2e8d6f3fc5bcf5de9ba2caa7b29484a83157
                    • Instruction ID: 9b77ea486ff5e475e733cfec22b5e3b1338c44c944674a06f850441bee5b9c22
                    • Opcode Fuzzy Hash: 3866eb84711464799bfdd3d8675d2e8d6f3fc5bcf5de9ba2caa7b29484a83157
                    • Instruction Fuzzy Hash: 8EC1C021B1CA194FEB98EB68C4B52B977D1FF99304F04417AE14ED32D2DE2CA8429742
                    Function 00007FFD34687433 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.3372625534.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 08d78f40181a5e962d26aa9e2a7d84ab001dc1192e0d6bced279f17a249606a2
                    • Instruction ID: d117f36a203574afdeb39e112a81eb3c022b7af9c6f0bf6940da3f91a33b66f9
                    • Opcode Fuzzy Hash: 08d78f40181a5e962d26aa9e2a7d84ab001dc1192e0d6bced279f17a249606a2
                    • Instruction Fuzzy Hash: 06513C72E0C7698FEB55DF688C661F97FE0EF62321F04017BC589D7093DA2868158781
                    Function 00007FFD34689658 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.3372625534.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID: CriticalProcess
                    • String ID:
                    • API String ID: 2695349919-0
                    • Opcode ID: b4882047664c89e6aa4a0ac3cc8f87b3ef4f077b220bafd36e8cf1e4b159864c
                    • Instruction ID: 291f701cecb82354f2916201883cbe7942231244fc9daccfa3b629486c81bc62
                    • Opcode Fuzzy Hash: b4882047664c89e6aa4a0ac3cc8f87b3ef4f077b220bafd36e8cf1e4b159864c
                    • Instruction Fuzzy Hash: 5A512872A0D6984FEB59DFA898996E97BE0EF56310F08007FE0C9D7193DA286849C741
                    Function 00007FFD34689678 Relevance: 1.7, APIs: 1, Instructions: 158COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.3372625534.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID: CriticalProcess
                    • String ID:
                    • API String ID: 2695349919-0
                    • Opcode ID: c8799aea079388ee8754706352508a93be5210ef1d9092fcea74eb3a327ce12a
                    • Instruction ID: 4042ab8e01613b1dfc68d110385df2cd645250a1834c33d66c5b18b464e48d47
                    • Opcode Fuzzy Hash: c8799aea079388ee8754706352508a93be5210ef1d9092fcea74eb3a327ce12a
                    • Instruction Fuzzy Hash: A9413732A0D7984FEB59DF9898996E97BE0FF56310F04007FE0CAD7193DA24A845CB81
                    Function 00007FFD34689698 Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.3372625534.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID: CriticalProcess
                    • String ID:
                    • API String ID: 2695349919-0
                    • Opcode ID: 04d390d3027e07df2401ff4c1218d9b5a7c9d51e164df1aa2754fb03626856bd
                    • Instruction ID: 993a4a5ec944ef898c35bb4101f4c4e8ce113ea749366c0ba0dc41a1afe79749
                    • Opcode Fuzzy Hash: 04d390d3027e07df2401ff4c1218d9b5a7c9d51e164df1aa2754fb03626856bd
                    • Instruction Fuzzy Hash: 14411931A0C7588FEB69DF9C98996F97BE0FF56311F04016FE0CAD3192DA246845CB81
                    Function 00007FFD34689BE8 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.3372625534.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID: HookWindows
                    • String ID:
                    • API String ID: 2559412058-0
                    • Opcode ID: 7d381889e853d0cf69041b82d9ae904d31f5a1c1238454be03aa3e2b3e443257
                    • Instruction ID: ddcba94ead399158957ad7c079b2952743d69a2a10ca884509535fb5fde515b3
                    • Opcode Fuzzy Hash: 7d381889e853d0cf69041b82d9ae904d31f5a1c1238454be03aa3e2b3e443257
                    • Instruction Fuzzy Hash: 1A412870A0CA5C4FEB58EF6C98566F97BE1EB69321F00427ED049D3292CA656816CBC1
                    Function 00007FFD346896A8 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.3372625534.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID: CriticalProcess
                    • String ID:
                    • API String ID: 2695349919-0
                    • Opcode ID: 7f3e4c6492982e1cabff9cbb53c4e12430130092a6bf0ae274d0e7a582633660
                    • Instruction ID: 60b138a8bcea51fdf47031a78197503015e9e2df18e503b789d1e85856507bc1
                    • Opcode Fuzzy Hash: 7f3e4c6492982e1cabff9cbb53c4e12430130092a6bf0ae274d0e7a582633660
                    • Instruction Fuzzy Hash: 90410731A0C7588FEB69DF98D8996E97BE0FF56311F04012FE0CAD3192DA246845CB81
                    Function 00007FFD346878A1 Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.3372625534.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID: CheckDebuggerPresentRemote
                    • String ID:
                    • API String ID: 3662101638-0
                    • Opcode ID: a6de84bb9d2d6afa8e7ffc3b50f3d9dcfceb470a087b2d5f1a27f58475c2af0d
                    • Instruction ID: 7f36d1e514e9637ad3e9210be2bcdeef412bec1c42e2bcdb2c1c5160ed9ef313
                    • Opcode Fuzzy Hash: a6de84bb9d2d6afa8e7ffc3b50f3d9dcfceb470a087b2d5f1a27f58475c2af0d
                    • Instruction Fuzzy Hash: 9431FF3190875C8FCB59DF98C88A7E97BF0EF65321F05426AD489D7282DB34A846CB91

                    Non-executed Functions

                    Function 00007FFD3468A7E0 Relevance: 2.3, Strings: 1, Instructions: 1058COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3372625534.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID: 0-3916222277
                    • Opcode ID: 0b503bd0a747c36a0b28039fa5945cf8712450dac93122d386ed7362defabba6
                    • Instruction ID: 9dde9b3880749243531c5f1b521146e4fc01c07cd2d2178a5a17757db66ea973
                    • Opcode Fuzzy Hash: 0b503bd0a747c36a0b28039fa5945cf8712450dac93122d386ed7362defabba6
                    • Instruction Fuzzy Hash: D5728030F1C9194FEBA8FB6884A56BD63D6EF9A304F504579D11ED32C3DE2CA8429741
                    Function 00007FFD346813D3 Relevance: 1.5, Strings: 1, Instructions: 253COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.3372625534.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: 0M_^
                    • API String ID: 0-417137734
                    • Opcode ID: 926fd8ce99431a54bad75fd86cd98e52648734aedc0df764ca9e3377fde9f7b3
                    • Instruction ID: 479c6d4d0fef559c4398888d5e85720aca957e30e241315de3ca656915d583f3
                    • Opcode Fuzzy Hash: 926fd8ce99431a54bad75fd86cd98e52648734aedc0df764ca9e3377fde9f7b3
                    • Instruction Fuzzy Hash: 84816047E0E7D61EE7536A7C6CB10E63FA4DF5322970942F7C6D4CA093AC0C680A9362
                    Function 00007FFD34681370 Relevance: .3, Instructions: 299COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.3372625534.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cc108930108c0fe3ad524eef4aae8b3c4477f2b788206cf78bb16068f6aed02f
                    • Instruction ID: bdd95d265698a8a8c18684378fbe5cd1849dbede80200a0172f48c4641de80f3
                    • Opcode Fuzzy Hash: cc108930108c0fe3ad524eef4aae8b3c4477f2b788206cf78bb16068f6aed02f
                    • Instruction Fuzzy Hash: 9C91A557E0E7E61EE7536A7C5CB10E63FA4DF9322570902F7C6D4CB093AD0D680A9262
                    Function 00007FFD346810A5 Relevance: .2, Instructions: 194COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.3372625534.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e4074b177ad9c4308ebdbd5b28145e7a6b45a91146109bc18618fdff9adad213
                    • Instruction ID: 2b1f37015e7ae22c4118297e67add0c808783b3462fec7e692931f4070623823
                    • Opcode Fuzzy Hash: e4074b177ad9c4308ebdbd5b28145e7a6b45a91146109bc18618fdff9adad213
                    • Instruction Fuzzy Hash: 1651F727B4E67946D7217BFDB4A15FB7B18DF9237A70802B7D1CC9D0938D0820458AD1

                    Executed Functions

                    Function 00007FFD347239D1 Relevance: 2.8, Strings: 1, Instructions: 1504COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.2177006984.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: M_H
                    • API String ID: 0-372873180
                    • Opcode ID: fc5c1ca3f2cb293ff2c860f8ad43e8e7feff1b898a191fd784c1d65a44f95a97
                    • Instruction ID: ca452f9073dd65c649eea27eb5789f16645a474e47a2e4c77d1353958b753a67
                    • Opcode Fuzzy Hash: fc5c1ca3f2cb293ff2c860f8ad43e8e7feff1b898a191fd784c1d65a44f95a97
                    • Instruction Fuzzy Hash: 5FA216A2B0DB854FE7A69B2858A51B47BE1EF97250B0901FBD18DC7193DA1CBC06C391
                    Function 00007FFD3453E380 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.2175921975.00007FFD3453D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3453D000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: CuD
                    • API String ID: 0-2925847217
                    • Opcode ID: 083be6563735875c63dbbad05d55a78009e7450c901627af65b21f9ca2a5b0df
                    • Instruction ID: 691b4cb826259d40e9972fb1ebd3584f9a05e67be150f8089b04c59d7dd4baa6
                    • Opcode Fuzzy Hash: 083be6563735875c63dbbad05d55a78009e7450c901627af65b21f9ca2a5b0df
                    • Instruction Fuzzy Hash: B241D47190DBC44FE7578B2898A5A523FF0EF57324B1505EFD088CB1A3D629B846C792
                    Function 00007FFD34659738 Relevance: .1, Instructions: 144COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2176449593.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 46099fe14557e0db41a20f0761ea03853ac835e3ce2477cb770ba15f5cd6d6cc
                    • Instruction ID: 7e50219fda471fb25a0137119ba333b3211942b1dcacb3da1b8d669d98df0b25
                    • Opcode Fuzzy Hash: 46099fe14557e0db41a20f0761ea03853ac835e3ce2477cb770ba15f5cd6d6cc
                    • Instruction Fuzzy Hash: 64412631A0CB885FDB589F5C98466F8BBE0FB95310F00416FE449D3292DA24A806CBC2
                    Function 00007FFD3465A47C Relevance: .1, Instructions: 103COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2176449593.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 283288fba285b955c2821eb0891a51bb8bb2085b28d1197fa07142c4de29c06f
                    • Instruction ID: be945bd202abb7a6dbf9880dd6362a6b94a7236665dc2c5661fabaf14b001f69
                    • Opcode Fuzzy Hash: 283288fba285b955c2821eb0891a51bb8bb2085b28d1197fa07142c4de29c06f
                    • Instruction Fuzzy Hash: 2B21F83190C74C8FDB59DFAC9C4A7E97BF0EB96321F04416BD049C3152D674A85ACB92
                    Function 00007FFD347240BF Relevance: .1, Instructions: 98COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2177006984.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a0d03a05c6323648149f123c8dc4d82739dbc11bb11fa5e2cc0a7c1362f86f00
                    • Instruction ID: 91b3e4bc0995cf81d0b83981b80bf936cada4fd341dad2b10297de12207b6618
                    • Opcode Fuzzy Hash: a0d03a05c6323648149f123c8dc4d82739dbc11bb11fa5e2cc0a7c1362f86f00
                    • Instruction Fuzzy Hash: DC21F5B3B0DA968FE7A5DA1844E117436D2EF66290B5900BAD24ED71D3DF2CFC409381
                    Function 00007FFD3465A038 Relevance: .1, Instructions: 93COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2176449593.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 773a2d7829f08106c59e8490e74328f85ee06e77d10c98777884efadeacde60f
                    • Instruction ID: e20f27b87ff5ce25e47e81e0d440bb2f2c139f41356444d22587043a8a556185
                    • Opcode Fuzzy Hash: 773a2d7829f08106c59e8490e74328f85ee06e77d10c98777884efadeacde60f
                    • Instruction Fuzzy Hash: 8B312726A1D9D60BD7025F6C98A10F63F61EFA321AF0801F6C5CCCE153EA19A155C7C1
                    Function 00007FFD347243BC Relevance: .1, Instructions: 63COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2177006984.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 386ef139bdf524efbc174de9ef3572cf6b3022983970b8d70fabd324bc96daae
                    • Instruction ID: d43e226b1db9cb7674448f2e38c4944e813980ee0838104563b57dbabf1f0c1c
                    • Opcode Fuzzy Hash: 386ef139bdf524efbc174de9ef3572cf6b3022983970b8d70fabd324bc96daae
                    • Instruction Fuzzy Hash: AC1106B2B0EA858FE7A5DA1884E45B87BD1EF462A4B5900BAD15DC7193DB2CBC0093C1
                    Function 00007FFD3472681E Relevance: .1, Instructions: 60COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2177006984.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bbe350e44b85de3506438a2a0d95a75daedb0995a4fbd2699661a8c3cbcadb5e
                    • Instruction ID: 171552a0744eb5f139afbba02ddf1c01d408ac4af796bc101d374fe208ea5d25
                    • Opcode Fuzzy Hash: bbe350e44b85de3506438a2a0d95a75daedb0995a4fbd2699661a8c3cbcadb5e
                    • Instruction Fuzzy Hash: 331136B2F0D6C88FE765EA9880E55A87BE1EF1A350F1440BFC10CC7193DA28A845C391
                    Function 00007FFD346533B5 Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2176449593.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                    • Instruction ID: a7b3ec9e85f60c887bf1ab583759d59287a80f7d629e4d15af53f6682909c868
                    • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                    • Instruction Fuzzy Hash: 3601677121CB0C4FD744EF0CE451AA5B7E0FB95364F10056DE58AC3661DA36E892CB45

                    Non-executed Functions

                    Function 00007FFD34658BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.2176449593.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: O_^4$O_^7$O_^F$O_^J
                    • API String ID: 0-875994666
                    • Opcode ID: 2e885493dd975bc32d340c5768cef525a19cc6b18a019490f26335b263fa7f1c
                    • Instruction ID: d965de3f4da1a72574d0a42445448257d4c8cebc59da65311ffacd5a21a7af50
                    • Opcode Fuzzy Hash: 2e885493dd975bc32d340c5768cef525a19cc6b18a019490f26335b263fa7f1c
                    • Instruction Fuzzy Hash: 2D2104BB7182268ED2117BFDB8145EB3744CFE423A34502B2D19E9F243ED14708A8A90

                    Executed Functions

                    Function 00007FFD347639D1 Relevance: 2.8, Strings: 1, Instructions: 1567COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.2268657645.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: I_H
                    • API String ID: 0-288374528
                    • Opcode ID: 0ad40c620736977738bbe64466550f6880b8dfab1ecd0bc1b4607aefd013800c
                    • Instruction ID: fdd14256cc6806727f2cdb03651fe5e139a77fcd93bf7d986dbcf41aabd35f6a
                    • Opcode Fuzzy Hash: 0ad40c620736977738bbe64466550f6880b8dfab1ecd0bc1b4607aefd013800c
                    • Instruction Fuzzy Hash: 1DA208B2A0DB864FE766972858A51A47BE2EF97220B0901FBD18DC71D3D91CBC06D391
                    Function 00007FFD34699750 Relevance: .1, Instructions: 143COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2267892326.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 51b7c558b971a5ca3f9f97f9889e46448ed610ec8cb80d9e990c00dfd4cdbd9f
                    • Instruction ID: bd99f9567dd88d5f35ed58609b86b0f0930db436f757a71b3edd7cc86f2134f7
                    • Opcode Fuzzy Hash: 51b7c558b971a5ca3f9f97f9889e46448ed610ec8cb80d9e990c00dfd4cdbd9f
                    • Instruction Fuzzy Hash: 14412871A0CB884FDB09DF1C9C5A6B9BBF1FB66311F04416FD489D3292DA64A805CBC6
                    Function 00007FFD3457EE20 Relevance: .1, Instructions: 128COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2267172755.00007FFD3457D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3457D000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b8ef24ae90311c0c81dc7e2d7dbcea091f0d7e94824eac1f956ac42c300f7217
                    • Instruction ID: 0b8a80657d4a19ea36c861940a096b6d8cc28c020ed6369d991efb64027f6df4
                    • Opcode Fuzzy Hash: b8ef24ae90311c0c81dc7e2d7dbcea091f0d7e94824eac1f956ac42c300f7217
                    • Instruction Fuzzy Hash: 9241037180DBC45FE7578B289C959523FF0EF53320B1905EFD488CB1A3D629A846C7A2
                    Function 00007FFD3469A49C Relevance: .1, Instructions: 100COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2267892326.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e7265ff500841289b8b0c657006cb6503112b88e8bbfa6776bec13e5e8b01149
                    • Instruction ID: e6d72d35bb302782230e1fe453443e9e7197bdd2d3b0993fdf1ad5208ff735b9
                    • Opcode Fuzzy Hash: e7265ff500841289b8b0c657006cb6503112b88e8bbfa6776bec13e5e8b01149
                    • Instruction Fuzzy Hash: BB21073190CB4C4FEB59DF9CD84A7E97BF0EBA6321F00416BD049C3162DA74A81ACB91
                    Function 00007FFD347640BF Relevance: .1, Instructions: 98COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2268657645.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8ad4c0a59f0e5c35b4721ba013fed7333e7ec4514224f32c445b8aac57bb16fb
                    • Instruction ID: 78a4b44d98db81a6d19cf00c145ed99424199ceffa976aae9d7738a3ae89b4c6
                    • Opcode Fuzzy Hash: 8ad4c0a59f0e5c35b4721ba013fed7333e7ec4514224f32c445b8aac57bb16fb
                    • Instruction Fuzzy Hash: 9A21F4A3B0DA9A8FE7A99A1844E017036D3EF66220B5900BAD24DC7192DD2CFC049789
                    Function 00007FFD347643BC Relevance: .1, Instructions: 63COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2268657645.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a3ad33be448274aa0dbd09cbac2262106126fe66e65580b20e36c659ebe87050
                    • Instruction ID: 2e28ffdb11a4bcd5c7f0caf0f2383223137ca2145549dd1920829b6d3792da31
                    • Opcode Fuzzy Hash: a3ad33be448274aa0dbd09cbac2262106126fe66e65580b20e36c659ebe87050
                    • Instruction Fuzzy Hash: 4D1132B2B0E6898FE7A0DB1C84E55B87BD2EF46234B4900BAD60DC7093D92CBC0093C4
                    Function 00007FFD3476681E Relevance: .1, Instructions: 60COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2268657645.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c4eba8b98be6225357d39852b85429f04a6fd23640f6de2b855f807d8ff3284a
                    • Instruction ID: 659fbae847c576cf1bcfe8801f246be97fbfb6370fe63e2d375b5bb1c80b4b32
                    • Opcode Fuzzy Hash: c4eba8b98be6225357d39852b85429f04a6fd23640f6de2b855f807d8ff3284a
                    • Instruction Fuzzy Hash: ED117A72F0D6898FE761DAA880E016877D2EF16320F4440BFC10CD7093C92CA805C380
                    Function 00007FFD346933B5 Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2267892326.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                    • Instruction ID: 66e339b9c219ae05c0f4a9cc314582de7c043b64f66fa0b2c63f0f34819a108e
                    • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                    • Instruction Fuzzy Hash: 5F01677125CB0C4FDB44EF0CE451AA5B7E0FB99364F10056DE58AC3651DA36E892CB45
                    Function 00007FFD3469A113 Relevance: .0, Instructions: 26COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2267892326.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b58b9ff907a2a8f9e4ff7fe57bd4bfc1426dec8d49d6fa8294dfdc3df53ec348
                    • Instruction ID: d7825b191ef5071395aef2861ea802edcce1c2eac056685b2829458ead2e1887
                    • Opcode Fuzzy Hash: b58b9ff907a2a8f9e4ff7fe57bd4bfc1426dec8d49d6fa8294dfdc3df53ec348
                    • Instruction Fuzzy Hash: 43E06535848A8C4FDB95DF18985A4E97BE0FF66300B05019BE50DC7161DB759954CB82

                    Non-executed Functions

                    Function 00007FFD34698BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.2267892326.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: K_^8$K_^<$K_^?$K_^J$K_^K$K_^N$K_^Q$K_^Y
                    • API String ID: 0-2350917820
                    • Opcode ID: 227aa69b1fbc1c82fa311b63e9fce6667358cd8e78cee4ad2729eeab0005292d
                    • Instruction ID: 4ae33b8a9e62b2815184ff7d28bf263346050f7a009a295ce7fc458e93cd07ca
                    • Opcode Fuzzy Hash: 227aa69b1fbc1c82fa311b63e9fce6667358cd8e78cee4ad2729eeab0005292d
                    • Instruction Fuzzy Hash: 9C2126B3B486155ACA1237FCF8915EA7794DFA437D34502F3E058EF013DD18A48B8A80

                    Executed Functions

                    Function 00007FFD347439D1 Relevance: 2.8, Strings: 1, Instructions: 1594COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000008.00000002.2415004044.00007FFD34740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34740000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: K_H
                    • API String ID: 0-313846638
                    • Opcode ID: 8bf0d31bf76ccf2255eaad4e778fda2d3eebafe5e336b01c3abd7cd77a0ee1cb
                    • Instruction ID: 27674ac2b48e2f4c92d3824b9450cb79f8e6359476ca9b162f74363a339ee3e2
                    • Opcode Fuzzy Hash: 8bf0d31bf76ccf2255eaad4e778fda2d3eebafe5e336b01c3abd7cd77a0ee1cb
                    • Instruction Fuzzy Hash: 5AA2F4A2B0EBC54FE7A6962858A51B47BE1EF57210B0901FBD18DC72D3D91CBC06D392
                    Function 00007FFD3467A0D3 Relevance: .3, Instructions: 251COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000008.00000002.2414182134.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dc20da8ba3cf872e9751a8d15c3cb28aed24e961caed72b0c75aa336bea4159f
                    • Instruction ID: 773c73250437a994cc7d30f7fed5cc058f4424eda2b935964ba9139468579df1
                    • Opcode Fuzzy Hash: dc20da8ba3cf872e9751a8d15c3cb28aed24e961caed72b0c75aa336bea4159f
                    • Instruction Fuzzy Hash: F1116076A1E7D84FD7139F249C690E47FB0EF63215B0E41EBD588CB0A3DA1A5808C792
                    Function 00007FFD34679738 Relevance: .1, Instructions: 142COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000008.00000002.2414182134.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 82b7f844b17ebd8fb0c8fa393ccd6c8a840346fa81e6366752ff60bfe3cfed20
                    • Instruction ID: 533218977150a49dccaf08f7e0a2f319b173369fd0eece9b8a20f0a5adaa16b4
                    • Opcode Fuzzy Hash: 82b7f844b17ebd8fb0c8fa393ccd6c8a840346fa81e6366752ff60bfe3cfed20
                    • Instruction Fuzzy Hash: E2412A31A1CA885FEB58DF5C9C566F9BBE0FB55310F10412FE449D3252DA24A806CBC2
                    Function 00007FFD3455EAA8 Relevance: .1, Instructions: 122COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000008.00000002.2413305510.00007FFD3455D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3455D000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f5b56e9055137f038b145bf624cdf67dfa60a16cb4e49ba05ee539528f6d0098
                    • Instruction ID: e8acf4c4edd19cf2da0b7725cec0e1dc4b7778a876fa97d755c3c52d737cb209
                    • Opcode Fuzzy Hash: f5b56e9055137f038b145bf624cdf67dfa60a16cb4e49ba05ee539528f6d0098
                    • Instruction Fuzzy Hash: 2741F37190DBC44FD7578B3898959523FB0EF53220B1906DFD089CB1A3D629E84AC7A2
                    Function 00007FFD3467A62C Relevance: .1, Instructions: 99COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000008.00000002.2414182134.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 961282c7e2666fe0f4777de332b695b61e768c0e644a5551b41f4b35fc8a5d91
                    • Instruction ID: 97ab0d31d8977847d48135045cff076712a9f485466e7ce392882d2031a2684c
                    • Opcode Fuzzy Hash: 961282c7e2666fe0f4777de332b695b61e768c0e644a5551b41f4b35fc8a5d91
                    • Instruction Fuzzy Hash: 1421E430A0CB488FDB59DFA8D84A6E97BF0EB56321F04416FD049C3162DA74A416CB92
                    Function 00007FFD347440BF Relevance: .1, Instructions: 98COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000008.00000002.2415004044.00007FFD34740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34740000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 16410e3cecf50de95d0877c4e28655c575485c7e358a7d469900c7849d2c714c
                    • Instruction ID: 9c8934b33e8a912a53bc0745829aa833c4a50baf5041d2218d017df66a26e622
                    • Opcode Fuzzy Hash: 16410e3cecf50de95d0877c4e28655c575485c7e358a7d469900c7849d2c714c
                    • Instruction Fuzzy Hash: 0321C3B3B0DA968FE7A5DA1844E117476D2EF66210B5900BAD24EC73E3DD2CFC05A381
                    Function 00007FFD347443BC Relevance: .1, Instructions: 63COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000008.00000002.2415004044.00007FFD34740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34740000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2c14f7acb537bc64cef1e8268223d5f03953c33a4d2ca0a0b213ad73f042624e
                    • Instruction ID: 1c9ce94054bca8030f33fd688470fa66d4a1610a204fe754f171e93cf12d74ec
                    • Opcode Fuzzy Hash: 2c14f7acb537bc64cef1e8268223d5f03953c33a4d2ca0a0b213ad73f042624e
                    • Instruction Fuzzy Hash: 8D1106B2B0E6458FE7A4DA1C84E45B877D1EF46724B5900BAD25DC7293D92CBC00A381
                    Function 00007FFD3474681E Relevance: .1, Instructions: 60COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000008.00000002.2415004044.00007FFD34740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34740000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0ec94ff1c8fa3e05e9e5e414a30bc91b50b2066246cc8254c382123e4b8821b7
                    • Instruction ID: fa362e514406e6f65fc33ee98f3638782a4fcb90de42ff68c25474b0f40c36b2
                    • Opcode Fuzzy Hash: 0ec94ff1c8fa3e05e9e5e414a30bc91b50b2066246cc8254c382123e4b8821b7
                    • Instruction Fuzzy Hash: 951123B2B0D6888FE765EA9844A55787BD1EF5A320B1840BEC14CC7293DA2DA845C391
                    Function 00007FFD346733B5 Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000008.00000002.2414182134.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                    • Instruction ID: fbdbe5f7fa31bdb5b4d96766301e1fa8c3ecf2e6deba8f06807b4dcd50cf955b
                    • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                    • Instruction Fuzzy Hash: 5401677121CB0C4FD754EF0CE451AA5B7E0FB95364F10056DE58AC3691DA36E892CB45

                    Non-executed Functions

                    Function 00007FFD34678995 Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000008.00000002.2414182134.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: M_^$M_^$M_^$M_^
                    • API String ID: 0-1397233021
                    • Opcode ID: 5cda8bb06d4a2044ca05bca74f4618cb8d57bc6b483472a2dafcde31aba29770
                    • Instruction ID: dfb9a4f34e2c44d59f3098961ee486938b694ca2b53a77c1e5e2ea59acbd254e
                    • Opcode Fuzzy Hash: 5cda8bb06d4a2044ca05bca74f4618cb8d57bc6b483472a2dafcde31aba29770
                    • Instruction Fuzzy Hash: 6641A463E0E6D24FE3074B284CA50D57FA1EF53314B4A52F7C688DB093FA1D690A9752
                    Function 00007FFD34678BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000008.00000002.2414182134.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: M_^4$M_^7$M_^F$M_^J
                    • API String ID: 0-622050427
                    • Opcode ID: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
                    • Instruction ID: 38742e96664be9460a50deb9f89d8f10413ba588710842848fc8c0f904a8889b
                    • Opcode Fuzzy Hash: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
                    • Instruction Fuzzy Hash: 692104B77086658ED3127BFDB8149EA3744CFA423978503B2E198DB083FD1860868AC0

                    Executed Functions

                    Function 00007FFD3468644D Relevance: .7, Instructions: 726COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000C.00000002.2620118315.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b9712abb92924c5171b5cf762911cdfaa362a1861bb6af192ee8b0a21a9053e8
                    • Instruction ID: e05d559f7f21123568f61b5f3d6342aed8b29c48182819975034ac48affe8b7d
                    • Opcode Fuzzy Hash: b9712abb92924c5171b5cf762911cdfaa362a1861bb6af192ee8b0a21a9053e8
                    • Instruction Fuzzy Hash: 15D15F30A08A5D8FDF94DF58C495AED7BE1FF69300F14416AD40DD72A6CA38E881CB81
                    Function 00007FFD3468A0E0 Relevance: .3, Instructions: 257COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000C.00000002.2620118315.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3592642db00be7900ec0818ac53db6e35aff730a58688f0cbd5a1cb314eeff38
                    • Instruction ID: d5e2f37b768385ad908c1491564e1f9f6e6f8e0e950c83322e60d781a4ff1322
                    • Opcode Fuzzy Hash: 3592642db00be7900ec0818ac53db6e35aff730a58688f0cbd5a1cb314eeff38
                    • Instruction Fuzzy Hash: CA21AF2591E7C54FDB139B689C750E53FB0EF63215B0901E7D4C8CF0A3DA198808C792
                    Function 00007FFD34689770 Relevance: .1, Instructions: 132COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000C.00000002.2620118315.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 63a39a932e88100de160246f3f6708e48bc5ceeb333fc927e5a198666fcc6306
                    • Instruction ID: 9a39656d90c54d080161437de19e68553e562f20a5c8203c6816025b438ab93f
                    • Opcode Fuzzy Hash: 63a39a932e88100de160246f3f6708e48bc5ceeb333fc927e5a198666fcc6306
                    • Instruction Fuzzy Hash: EE41293190CB884FDB599F5C98066E97BF0FBA9310F04416FE449D3252DA34A815CBC2
                    Function 00007FFD3456EE20 Relevance: .1, Instructions: 125COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000C.00000002.2618735449.00007FFD3456D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3456D000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5a664eafec812da4720b29c132b295969c6ea08d7326aa49dda23d2f9c4771fc
                    • Instruction ID: eadd31613fd551fa9086727af922234831854d9c006d52b7316574893e0e64cd
                    • Opcode Fuzzy Hash: 5a664eafec812da4720b29c132b295969c6ea08d7326aa49dda23d2f9c4771fc
                    • Instruction Fuzzy Hash: 0941263180EBC45FD7579B2898919523FF0EF53320B1505EFD088CB1A3D629AC46C792
                    Function 00007FFD3468A6D5 Relevance: .1, Instructions: 98COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000C.00000002.2620118315.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 29c4436da178d5c5047a631c314aa8f15290fa42612eb7163ae23975b3d7b897
                    • Instruction ID: e63d77bc641875f0b824f02c9faafbf75259d2c84aa918fad6036491782d2e50
                    • Opcode Fuzzy Hash: 29c4436da178d5c5047a631c314aa8f15290fa42612eb7163ae23975b3d7b897
                    • Instruction Fuzzy Hash: 9221053190CA4C8FDB59DF9C984A7E97BF0EB9A321F04416FD449D7162D634A80ACB92
                    Function 00007FFD3475681E Relevance: .1, Instructions: 60COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000C.00000002.2621369341.00007FFD34750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34750000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: eacc5d59bcd1f4314ec96776f93ed83a5859e75d342e10bc00b2a1535c23c596
                    • Instruction ID: b200309a5081f98b6c52e4dd35fe4e36116ac1a186ebc5d0f21993f2a6adb5c4
                    • Opcode Fuzzy Hash: eacc5d59bcd1f4314ec96776f93ed83a5859e75d342e10bc00b2a1535c23c596
                    • Instruction Fuzzy Hash: 68112772F0D6888FE765DA9844E556877D1EF1A314B1840FEC14CCB193D928B806C391
                    Function 00007FFD346833B5 Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000C.00000002.2620118315.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                    • Instruction ID: 99ccd9aa28ab21da87489c59e0d9d7a1036f9ae1a88a610e4ac9eb2b15120870
                    • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                    • Instruction Fuzzy Hash: 2701677121CB0C4FD744EF0CE451AA5B7E0FB95364F10056DE58AC3651DA36E892CB45
                    Function 00007FFD3475414D Relevance: .0, Instructions: 37COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000C.00000002.2621369341.00007FFD34750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34750000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4245372bdad59e1a48199f5b91f38269a935a7564f97e607a8e6ea2f20db894a
                    • Instruction ID: 3f00e089c87275aed5450d3f83d5b138090b933ab7c6bdc63d7317fbee80fa99
                    • Opcode Fuzzy Hash: 4245372bdad59e1a48199f5b91f38269a935a7564f97e607a8e6ea2f20db894a
                    • Instruction Fuzzy Hash: 10F09A32B0C5048FE669EB4CE4919A873E0EF56320B1140BAE25DCB163DA29EC42C781
                    Function 00007FFD34754400 Relevance: .0, Instructions: 35COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000C.00000002.2621369341.00007FFD34750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34750000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9f534cb0d9fd4d6ddfb1078a6ac6f7f3db2244b9215190ac3be2391972221f5f
                    • Instruction ID: c3ecc502702faeb949d434045a782a056f0b34404db93b31e50eed88a1876e55
                    • Opcode Fuzzy Hash: 9f534cb0d9fd4d6ddfb1078a6ac6f7f3db2244b9215190ac3be2391972221f5f
                    • Instruction Fuzzy Hash: 36F0BE72A4C5488FE754EB4CE4959A877E0EF06324B1100F6E25DCB063DA29FC41C780
                    Function 00007FFD347541D1 Relevance: .0, Instructions: 29COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000C.00000002.2621369341.00007FFD34750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34750000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                    • Instruction ID: 720172a6d3efd7e825cf2b9b93fc6acfdeb6409c92a7db0ea708b47ea34b6aee
                    • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                    • Instruction Fuzzy Hash: 06E0123170C414DFDA68EB0DE0909A973E1EB9932171101B7D24ECB561CA25FC529BC0

                    Non-executed Functions

                    Function 00007FFD34688BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.2620118315.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: L_^8$L_^<$L_^?$L_^J$L_^K$L_^N$L_^Q$L_^Y
                    • API String ID: 0-1415242001
                    • Opcode ID: 1d997aa9ad3e90242703a19c78973e7dfb3863e430ca4f2520de268e7f122f2a
                    • Instruction ID: 215c0943385c266ca4d48282c0a77c13228db42d4b627e60f13bf7db48ebc3c7
                    • Opcode Fuzzy Hash: 1d997aa9ad3e90242703a19c78973e7dfb3863e430ca4f2520de268e7f122f2a
                    • Instruction Fuzzy Hash: 2B21D4B3B486154AC2123BEDB8525EE7784DFA437934561F3E358DF513DF28A48B8A80

                    Executed Functions

                    Function 00007FFD34671719 Relevance: .6, Instructions: 610COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000010.00000002.2765998951.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cbd0c5f5b53b7fdc356649a6cd826b2cf6f60d5271f60287a5e833120233c734
                    • Instruction ID: 13a66e7087d64fb8523bc673c88fd308353e8384c54454dac81ec1c0514643a7
                    • Opcode Fuzzy Hash: cbd0c5f5b53b7fdc356649a6cd826b2cf6f60d5271f60287a5e833120233c734
                    • Instruction Fuzzy Hash: 9A12E571B19A594FE7A4EB7888B92F97BD2FF99340F44457AD04EC32D2DE2CA8018741
                    Function 00007FFD34670AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000010.00000002.2765998951.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: 9N_^
                    • API String ID: 0-1737749909
                    • Opcode ID: 2817a90aacfb222b8cc91b935ad2c915376cea520150d4a649d911bb2902d74e
                    • Instruction ID: 6ef8fb43aa3b2be371686609a0edd560483d5ee22165d604808e4b89c4254283
                    • Opcode Fuzzy Hash: 2817a90aacfb222b8cc91b935ad2c915376cea520150d4a649d911bb2902d74e
                    • Instruction Fuzzy Hash: AD614D26B4CA268BD711BBFCE8612FE7BA4EFD5329B044536C18DD7183CD28A4468790
                    Function 00007FFD34670E8E Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000010.00000002.2765998951.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: 4N_^
                    • API String ID: 0-2516135240
                    • Opcode ID: 74c730197dc98a5f092ba5eea9e863d11c94ad9073c7eb6ed12edb66b5dc09b2
                    • Instruction ID: d402f190da1301626c0262a01641502454c348124472cef25da74cbaa3a2b81b
                    • Opcode Fuzzy Hash: 74c730197dc98a5f092ba5eea9e863d11c94ad9073c7eb6ed12edb66b5dc09b2
                    • Instruction Fuzzy Hash: 6851F421B0DA860FE366A7B898661BA7FD1DF8722170980FFD48DC7193DC1C98468362
                    Function 00007FFD346706CD Relevance: 1.4, Strings: 1, Instructions: 199COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000010.00000002.2765998951.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: <N_^
                    • API String ID: 0-1347224999
                    • Opcode ID: 774703e2ef6deef28c6c57db02415e2ce1182bbfbb340094e4a73c9460368606
                    • Instruction ID: b31f3b6190316367bc6fae20dab795e5ead093e7a4038e43b3280a115592e754
                    • Opcode Fuzzy Hash: 774703e2ef6deef28c6c57db02415e2ce1182bbfbb340094e4a73c9460368606
                    • Instruction Fuzzy Hash: 8551D662B4E7554FD712EBFCE8B11FA3F60AF8621875440B6D18DCB293ED2CA8068751
                    Function 00007FFD346707D3 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000010.00000002.2765998951.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: <N_^
                    • API String ID: 0-1347224999
                    • Opcode ID: d751c761212a3f5939e486ef4ecf6e0a0d35c92791dddcb2d0c4a4226518b196
                    • Instruction ID: 0e21933db01a64f09140c9b8f998382b970fc6c60566944b04b598fe148b2b95
                    • Opcode Fuzzy Hash: d751c761212a3f5939e486ef4ecf6e0a0d35c92791dddcb2d0c4a4226518b196
                    • Instruction Fuzzy Hash: 7D41E335B4D3558FD712EBF8E4B12FA3BA0AF8631974440B6D18DD7293EE2868018751
                    Function 00007FFD34671295 Relevance: .9, Instructions: 852COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000010.00000002.2765998951.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9f599372d480690eab36880f21974e4191b51bb9adc1812e71131d93e04c4679
                    • Instruction ID: 079875e11bd5d186f9ba641654a9b27e4725c92cf87849a073b86d6ab3db0b8b
                    • Opcode Fuzzy Hash: 9f599372d480690eab36880f21974e4191b51bb9adc1812e71131d93e04c4679
                    • Instruction Fuzzy Hash: CC21E933E0D6A54FE751ABBC98B51EA7BE1EF52325B0840B7C2C8DA193ED1C68459740
                    Function 00007FFD34670985 Relevance: .3, Instructions: 346COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000010.00000002.2765998951.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8ff17a00aeedae93f1dd24f7ffd553aedab98a7ae3d62e9de04b41101cf929eb
                    • Instruction ID: f71e1df60215e54224a848f4c2c8b6635b43bb197f0fbc6d5f43a77165a3821c
                    • Opcode Fuzzy Hash: 8ff17a00aeedae93f1dd24f7ffd553aedab98a7ae3d62e9de04b41101cf929eb
                    • Instruction Fuzzy Hash: 48A1F627B0CA668BD711BBFCF8612EA7BA0EFD5376B044577C289DB183C924644687D0
                    Function 00007FFD346709D3 Relevance: .3, Instructions: 320COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000010.00000002.2765998951.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0caedf793d2f2f6e7981f9a9ad138df738842b2ff519e76babf7b33aa71ed87a
                    • Instruction ID: dea8b616548fdd14113d74604520482d072ef99bf596f0b216f6f7885d8c710c
                    • Opcode Fuzzy Hash: 0caedf793d2f2f6e7981f9a9ad138df738842b2ff519e76babf7b33aa71ed87a
                    • Instruction Fuzzy Hash: C8912527B0CA268AD710BBFCF8612EA7BA0EFD5376B444577C289DB183CD24644687D0
                    Function 00007FFD34670A08 Relevance: .3, Instructions: 305COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000010.00000002.2765998951.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 771d388d0a48cc1396d45d049406b7a516c4b4711253ca39d88c3e21c2fc6e01
                    • Instruction ID: d570ebb3e59e31556aaa295d3e8b81e8806f176221e6f2adda11ec40b2f6b737
                    • Opcode Fuzzy Hash: 771d388d0a48cc1396d45d049406b7a516c4b4711253ca39d88c3e21c2fc6e01
                    • Instruction Fuzzy Hash: 10811726B0CA268AD711BBFCF8612FA7BA4EFD5376B044577C289DB183CD24644687D0
                    Function 00007FFD34670A10 Relevance: .3, Instructions: 301COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000010.00000002.2765998951.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 63175ef3189bbc9d9455cc176e3456e635931129f4d2ae8ae5c4090b75dff130
                    • Instruction ID: 7ce7e8a9d07ea91f79c2060bfe59d0d1302e97ea3037188ccc597446f5c2aa27
                    • Opcode Fuzzy Hash: 63175ef3189bbc9d9455cc176e3456e635931129f4d2ae8ae5c4090b75dff130
                    • Instruction Fuzzy Hash: EE811826B0CA268AD710BBFCF8612FA7BA4EFD5376B044577C289DB183CD24644687D0
                    Function 00007FFD34670A48 Relevance: .3, Instructions: 270COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000010.00000002.2765998951.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ab4ed8786cce91424e11cb5b2e5181e7e8d8ebeaed4b16c696288d0d367270b3
                    • Instruction ID: 02694fc55c2a9b8e5c2706ce85581e7897398559bb0beb2ed90c9eef8c496cea
                    • Opcode Fuzzy Hash: ab4ed8786cce91424e11cb5b2e5181e7e8d8ebeaed4b16c696288d0d367270b3
                    • Instruction Fuzzy Hash: 63712626B0CA268AD710BBFCE8612EA7BA5EFD536AB04457BC189D7183CD246446C7D0
                    Function 00007FFD34670D21 Relevance: .1, Instructions: 124COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000010.00000002.2765998951.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5b85ff56a4d261f48f9a74741ef10c178706c9f072208e361e1ee492941dc4da
                    • Instruction ID: cfe19019701e3893cbbbcd99161ec207756441e7c6a9b8ccfa50f4d619b79ff9
                    • Opcode Fuzzy Hash: 5b85ff56a4d261f48f9a74741ef10c178706c9f072208e361e1ee492941dc4da
                    • Instruction Fuzzy Hash: 6C31A552B18E594FF754BBE8986A3FEA6D1EB98311F14417BE00DC3292DD18A8418791
                    Function 00007FFD34670BD3 Relevance: .1, Instructions: 120COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000010.00000002.2765998951.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8f03b14bdfbd48795f089b1590d201864f44abe19300a356aee3ec7cc4f5af70
                    • Instruction ID: acdaae325640d5668b0be043ded4400cb409f54380fe3b3b1aa2d3f55dde8338
                    • Opcode Fuzzy Hash: 8f03b14bdfbd48795f089b1590d201864f44abe19300a356aee3ec7cc4f5af70
                    • Instruction Fuzzy Hash: A141B161B1DA5A8FEB45EBB8C8712FD7BE1FF99300F540479D049D3282DD38A8018750
                    Function 00007FFD34671FEC Relevance: .1, Instructions: 102COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000010.00000002.2765998951.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2474c39d32dabe5ad88c9c556577a77e1051dfaad6a4ff9ad0cdebad8beb71d0
                    • Instruction ID: cd365f14dbe690f539da07590b0aa6240aa9202e301c5d6c086a7b7036e09202
                    • Opcode Fuzzy Hash: 2474c39d32dabe5ad88c9c556577a77e1051dfaad6a4ff9ad0cdebad8beb71d0
                    • Instruction Fuzzy Hash: A8218521B1DA494FE798FB6C946A378B6C2EF9D315F0445BEE04EC3293DD68AC418741
                    Function 00007FFD346720E1 Relevance: .0, Instructions: 47COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000010.00000002.2765998951.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 472802d4f49926d2ca9211dca6a41cefe6b6e4f6b7fa08ee242a3d6725f003d7
                    • Instruction ID: 7b526ec689875cbc26afe1573aa400647d215062ca7db807e414bc55a3216cf0
                    • Opcode Fuzzy Hash: 472802d4f49926d2ca9211dca6a41cefe6b6e4f6b7fa08ee242a3d6725f003d7
                    • Instruction Fuzzy Hash: CC017B10A0C7D14FE752AB384CB64767FF0AFD3250B0804AAD98AC71D3E91CAA84D353

                    Executed Functions

                    Function 00007FFD346816DE Relevance: .6, Instructions: 640COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.2848359020.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d46f1a76b0496e33d6d0e06351188258b096fa955e236ac4c77cfb2867c253ee
                    • Instruction ID: ab9bfe5f5880c846c318fc8fcae223d3bbd3e372b74db063a218670d4e1d70a4
                    • Opcode Fuzzy Hash: d46f1a76b0496e33d6d0e06351188258b096fa955e236ac4c77cfb2867c253ee
                    • Instruction Fuzzy Hash: 7912C361B19B5A4FE7A4EB6C84B92F977D2EF99300F4405BDD14EC32D2ED2CA8428341
                    Function 00007FFD34681719 Relevance: .6, Instructions: 577COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.2848359020.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f06cbe1695c88c41c9c50c61e550f618c8dd2ebf347a83ab71f450d191fa8426
                    • Instruction ID: bca9759f30b4a6ac943609b158739b7b86bfe02127eb259cadd5ed4795af3043
                    • Opcode Fuzzy Hash: f06cbe1695c88c41c9c50c61e550f618c8dd2ebf347a83ab71f450d191fa8426
                    • Instruction Fuzzy Hash: 0C02C361B19B594FE7A4EB6C84B92F977D2FF99300F4405B9D14EC32D2ED2CA8428341
                    Function 00007FFD34680AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.2848359020.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: 9M_^
                    • API String ID: 0-1708477388
                    • Opcode ID: dea9f259b98d7e2f5c28b7b11ff33be7138b215be992026addf588f63d74af87
                    • Instruction ID: 4fb3399e2c5cf46ef41058318a6176316b82bc156fd6cbf7cb7dd14ff4c2bd2d
                    • Opcode Fuzzy Hash: dea9f259b98d7e2f5c28b7b11ff33be7138b215be992026addf588f63d74af87
                    • Instruction Fuzzy Hash: 4E614726B4DB2A8AE750BBFCE4611FE77A4EFD5329B040676D18CD7283CD2960468790
                    Function 00007FFD34680E8E Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.2848359020.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: 4M_^
                    • API String ID: 0-2545914641
                    • Opcode ID: 39d5eb2a76cba7e9e820e4693b02ef23a8c332181c7e6d60ddeb63ecc335758a
                    • Instruction ID: 4484e718023be0829c040c43c4a5844e88cdab2598c3ff69bf5226a2f437bb7a
                    • Opcode Fuzzy Hash: 39d5eb2a76cba7e9e820e4693b02ef23a8c332181c7e6d60ddeb63ecc335758a
                    • Instruction Fuzzy Hash: 3C510521B0DB8A0FE3A6A77C98661BA3BE1DF87221B0941FFD48CC7193DC5C58428352
                    Function 00007FFD346806CD Relevance: 1.4, Strings: 1, Instructions: 199COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.2848359020.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: <M_^
                    • API String ID: 0-1376500734
                    • Opcode ID: 7859d03b15f06e329496c868906e6a350c2a58a0095cc3deeb1741f20ee26388
                    • Instruction ID: 71dc0ce0cf416b6d83f1de64408d9c99f8d0d3de86760940d7a980be82c97f74
                    • Opcode Fuzzy Hash: 7859d03b15f06e329496c868906e6a350c2a58a0095cc3deeb1741f20ee26388
                    • Instruction Fuzzy Hash: 57513962B0D7854FD751EBECE8B11FA3BA0EF8631874445B6D18DCB293ED2898078751
                    Function 00007FFD346807D3 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000011.00000002.2848359020.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: <M_^
                    • API String ID: 0-1376500734
                    • Opcode ID: e7bea20152cdc432dcf1d70db978f5500d212406703e565e84d9806c981bfc2b
                    • Instruction ID: 6598e89665497b52414f6f04062e433418aeda92f15dc476d37d0738004b129c
                    • Opcode Fuzzy Hash: e7bea20152cdc432dcf1d70db978f5500d212406703e565e84d9806c981bfc2b
                    • Instruction Fuzzy Hash: 87412366B4D7498FD752EBFCE4B11FA3BA0EF8631874445B6D18DC7293ED2898028741
                    Function 00007FFD34681295 Relevance: .9, Instructions: 851COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.2848359020.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 298a9a17e2c4588144db5557ae60a673c370b9b0f11dd724ed6ec4214adafd20
                    • Instruction ID: 8c9cfb7f34561d13dba72a6a7023f86d7ad2d10cd1ada9e25e59a17a537f827f
                    • Opcode Fuzzy Hash: 298a9a17e2c4588144db5557ae60a673c370b9b0f11dd724ed6ec4214adafd20
                    • Instruction Fuzzy Hash: 7721DB33F0D6A94FE791ABAC98B50EA7BA0EF52315B0802B6C1C4DA193ED1C64459740
                    Function 00007FFD34680985 Relevance: .3, Instructions: 346COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.2848359020.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8f8215383d3d4cc1e47121a3707510d361ff59998a6522cf070fb43f5ea4478e
                    • Instruction ID: 7efa1215538aecdb5d519d279f688e015519a524c9f79b3b66c3798256f87dce
                    • Opcode Fuzzy Hash: 8f8215383d3d4cc1e47121a3707510d361ff59998a6522cf070fb43f5ea4478e
                    • Instruction Fuzzy Hash: BBA1FA2770DA6A8AD711BBBCF4611FE7B60EFD6336B0446B7D189DA183CD2460468BD0
                    Function 00007FFD346809D3 Relevance: .3, Instructions: 320COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.2848359020.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 88f85e7e97562ba9f9501918589e21eaca147a8b421c3ae81cf3b86ea13817d3
                    • Instruction ID: 778619d29dfc6e752e5ce706d72a7b652ed1024cfc401e97c8a0cb9b21d9e4af
                    • Opcode Fuzzy Hash: 88f85e7e97562ba9f9501918589e21eaca147a8b421c3ae81cf3b86ea13817d3
                    • Instruction Fuzzy Hash: D9910726B09A2E8AD710BBBCF4611FA7B94EFD5336B0446B7D189DA183CD25604687D0
                    Function 00007FFD34680A08 Relevance: .3, Instructions: 305COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.2848359020.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: eacba54ec11c13b6d89c6f53eb25aa802a96eadd7ce4ad0398daf3265f9cfaa7
                    • Instruction ID: eefded27cfdd6fd9da6e1ffd427c86a0cb8ebec59e5ef255309e5be2bb97ecfc
                    • Opcode Fuzzy Hash: eacba54ec11c13b6d89c6f53eb25aa802a96eadd7ce4ad0398daf3265f9cfaa7
                    • Instruction Fuzzy Hash: 2881F726B0DA2A8AD710BBFCF4611FE7BA4EFD5326B044677D189DA183CD2460468BD0
                    Function 00007FFD34680A10 Relevance: .3, Instructions: 301COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.2848359020.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 787f8ac5a415a3fec6d197f6ec285b4cb17490912120241bacb9746c7e17142a
                    • Instruction ID: 3442f41d2f58ba025bf07fb7f0a64f0d00e45b876cf8cf96685c2604c1577222
                    • Opcode Fuzzy Hash: 787f8ac5a415a3fec6d197f6ec285b4cb17490912120241bacb9746c7e17142a
                    • Instruction Fuzzy Hash: 2381F726B0DA2A8AD710BBFCF4651FE7BA4EFD5336B044677D189DA183CD2460468BD0
                    Function 00007FFD34680A48 Relevance: .3, Instructions: 270COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.2848359020.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d69bbe876d4295f25ec264c17b370f7db7763b7bf9ae213855e4e3a08e9064cb
                    • Instruction ID: a65e9f6014177b45c262d0cbc34dac61e09f781e80589bf9e86260be7da78df6
                    • Opcode Fuzzy Hash: d69bbe876d4295f25ec264c17b370f7db7763b7bf9ae213855e4e3a08e9064cb
                    • Instruction Fuzzy Hash: C6710726B09A2A8ADB10BBFCF4611FE7BA4EFD5325B0446B7D189D7183CD246046CB90
                    Function 00007FFD34680D21 Relevance: .1, Instructions: 124COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.2848359020.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b3ecbae7fec9cb32d127f517136c10efdad3710d7e83a14b6f2fc55c8a2becd4
                    • Instruction ID: c88b103dda80a207f5a7c691102b3273988e9ca26f50da870d21b1d22a860f90
                    • Opcode Fuzzy Hash: b3ecbae7fec9cb32d127f517136c10efdad3710d7e83a14b6f2fc55c8a2becd4
                    • Instruction Fuzzy Hash: A631B662B19E594FF794BBEC98693BEB7D1EB99311F1402BBE00DC3293DD1868018791
                    Function 00007FFD34680BD3 Relevance: .1, Instructions: 122COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.2848359020.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cd5b940ea19aa85fa7038afa57a3257f55f32770386881202aa6f7b1735c2765
                    • Instruction ID: 4c0d8bf2a0409a08e79e382670a87b0f2462fa1a819e9117cc0fbf1b9c852207
                    • Opcode Fuzzy Hash: cd5b940ea19aa85fa7038afa57a3257f55f32770386881202aa6f7b1735c2765
                    • Instruction Fuzzy Hash: 4941AF61B19B5E8FEB95EBA8D8712FE7BA1FF99300F540575D049D3282DD38A8028750
                    Function 00007FFD34681FEC Relevance: .1, Instructions: 102COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.2848359020.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7be29a6528922884303e506446ac6f26363fbaab688ca01639004fc17eb8a048
                    • Instruction ID: ef2a733416d99b8a63606f943b2f39e7a0b69d73098db56b80083da27cf85c8e
                    • Opcode Fuzzy Hash: 7be29a6528922884303e506446ac6f26363fbaab688ca01639004fc17eb8a048
                    • Instruction Fuzzy Hash: 64215321B1DA494FE798FB6C946A378B7C2EF99315F0405BEE04EC7293DE689C418741
                    Function 00007FFD346820E1 Relevance: .0, Instructions: 47COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000011.00000002.2848359020.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2fd7837cc1b4f82c3645e7d73dc8128b648aff53db24692b3fe38658aaffaead
                    • Instruction ID: c4ce7631a55c8d81216009f3ded44444c5ed5aa0aa1cbcc4de9eb928141dc736
                    • Opcode Fuzzy Hash: 2fd7837cc1b4f82c3645e7d73dc8128b648aff53db24692b3fe38658aaffaead
                    • Instruction Fuzzy Hash: 0D014C11A0D7D10FE386AB3898B54767FF09F93340B1804BAEACAC61E3E81C6945D352