Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Nova Mod Pack.exe

Overview

General Information

Sample name:Nova Mod Pack.exe
Analysis ID:1468055
MD5:5c76d15a7d3f57f26edc494bd9db318b
SHA1:cfa089d8d7e9fde67b6cb85827d33431b2d80066
SHA256:af872e954905dbfeb165da42d722889a7dfc4b84e88b52c9abc9de18a1a9d74f
Tags:exe
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected XWorm
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Drops PE files to the user root directory
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Nova Mod Pack.exe (PID: 6924 cmdline: "C:\Users\user\Desktop\Nova Mod Pack.exe" MD5: 5C76D15A7D3F57F26EDC494BD9DB318B)
    • powershell.exe (PID: 6164 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Nova Mod Pack.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2564 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nova Mod Pack.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1004 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\System32.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6208 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System32.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 6676 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System32" /tr "C:\Users\user\System32.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 6832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5196 cmdline: "C:\Windows\System32\schtasks.exe" /delete /f /tn "System32" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 5916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 504 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp3B7C.tmp.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 2816 cmdline: timeout 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)
  • System32.exe (PID: 4828 cmdline: C:\Users\user\System32.exe MD5: 5C76D15A7D3F57F26EDC494BD9DB318B)
  • System32.exe (PID: 5920 cmdline: "C:\Users\user\System32.exe" MD5: 5C76D15A7D3F57F26EDC494BD9DB318B)
  • System32.exe (PID: 3960 cmdline: "C:\Users\user\System32.exe" MD5: 5C76D15A7D3F57F26EDC494BD9DB318B)
    • schtasks.exe (PID: 2668 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "System32" /tr "C:\Users\user\System32.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 6064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • System32.exe (PID: 4076 cmdline: C:\Users\user\System32.exe MD5: 5C76D15A7D3F57F26EDC494BD9DB318B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["pdf-standards.gl.at.ply.gg"], "Port": "59683", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Nova Mod Pack.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\System32.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2568453505.0000000003196000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000012.00000002.2981784134.000000000281B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          Process Memory Space: Nova Mod Pack.exe PID: 6924JoeSecurity_XWormYara detected XWormJoe Security
            Process Memory Space: System32.exe PID: 3960JoeSecurity_XWormYara detected XWormJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.0.Nova Mod Pack.exe.c50000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Nova Mod Pack.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Nova Mod Pack.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Nova Mod Pack.exe", ParentImage: C:\Users\user\Desktop\Nova Mod Pack.exe, ParentProcessId: 6924, ParentProcessName: Nova Mod Pack.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Nova Mod Pack.exe', ProcessId: 6164, ProcessName: powershell.exe
                Sigma detected: Change PowerShell Policies to an Insecure Level
                Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Nova Mod Pack.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Nova Mod Pack.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Nova Mod Pack.exe", ParentImage: C:\Users\user\Desktop\Nova Mod Pack.exe, ParentProcessId: 6924, ParentProcessName: Nova Mod Pack.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Nova Mod Pack.exe', ProcessId: 6164, ProcessName: powershell.exe
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\System32.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Nova Mod Pack.exe, ProcessId: 6924, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Nova Mod Pack.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Nova Mod Pack.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Nova Mod Pack.exe", ParentImage: C:\Users\user\Desktop\Nova Mod Pack.exe, ParentProcessId: 6924, ParentProcessName: Nova Mod Pack.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Nova Mod Pack.exe', ProcessId: 6164, ProcessName: powershell.exe
                Sigma detected: Startup Folder File Write
                Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\Nova Mod Pack.exe, ProcessId: 6924, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.lnk
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Nova Mod Pack.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Nova Mod Pack.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Nova Mod Pack.exe", ParentImage: C:\Users\user\Desktop\Nova Mod Pack.exe, ParentProcessId: 6924, ParentProcessName: Nova Mod Pack.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Nova Mod Pack.exe', ProcessId: 6164, ProcessName: powershell.exe

                Snort Signatures

                Timestamp:07/05/24-09:34:48.020705
                SID:2852923
                Source Port:49738
                Destination Port:59683
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:07/05/24-09:35:38.775753
                SID:2852923
                Source Port:49739
                Destination Port:59683
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:07/05/24-09:35:38.774129
                SID:2852870
                Source Port:59683
                Destination Port:49739
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:07/05/24-09:34:47.842512
                SID:2855924
                Source Port:49738
                Destination Port:59683
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:07/05/24-09:35:19.341978
                SID:2852874
                Source Port:59683
                Destination Port:49739
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:07/05/24-09:34:51.952855
                SID:2852870
                Source Port:59683
                Destination Port:49738
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:07/05/24-09:34:49.355900
                SID:2852874
                Source Port:59683
                Destination Port:49738
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 0000001A.00000002.2674641393.0000000002641000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["pdf-standards.gl.at.ply.gg"], "Port": "59683", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\System32.exeReversingLabs: Detection: 39%
                Source: C:\Users\user\System32.exeVirustotal: Detection: 50%Perma Link
                Multi AV Scanner detection for submitted file
                Source: Nova Mod Pack.exeVirustotal: Detection: 50%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\System32.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: Nova Mod Pack.exeJoe Sandbox ML: detected
                Source: Nova Mod Pack.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Nova Mod Pack.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49738 -> 147.185.221.20:59683
                Source: TrafficSnort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 147.185.221.20:59683 -> 192.168.2.4:49738
                Source: TrafficSnort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.4:49738 -> 147.185.221.20:59683
                Source: TrafficSnort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 147.185.221.20:59683 -> 192.168.2.4:49738
                Source: TrafficSnort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 147.185.221.20:59683 -> 192.168.2.4:49739
                Source: TrafficSnort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.4:49739 -> 147.185.221.20:59683
                Source: TrafficSnort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 147.185.221.20:59683 -> 192.168.2.4:49739
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: pdf-standards.gl.at.ply.gg
                Connects to many ports of the same IP (likely port scanning)
                Source: global trafficTCP traffic: 147.185.221.20 ports 59683,3,5,6,8,9
                Yara detected Generic Downloader
                Source: Yara matchFile source: Nova Mod Pack.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.Nova Mod Pack.exe.c50000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: C:\Users\user\System32.exe, type: DROPPED
                Source: global trafficTCP traffic: 192.168.2.4:49738 -> 147.185.221.20:59683
                Source: Joe Sandbox ViewIP Address: 147.185.221.20 147.185.221.20
                Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: pdf-standards.gl.at.ply.gg
                Source: powershell.exe, 00000001.00000002.1807733440.00000257D0FC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                Source: powershell.exe, 00000001.00000002.1801297927.00000257C8A61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1886402484.0000028C90072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2041393636.0000028BCEDF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2244990860.0000021B657EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 0000000B.00000002.2107660814.0000021B559A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000004.00000002.1904913024.0000028CFC1B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.mic
                Source: powershell.exe, 00000001.00000002.1785804571.00000257B8C1A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1833983505.0000028C80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1943157280.0000028BBEFA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2107660814.0000021B559A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                Source: Nova Mod Pack.exe, 00000000.00000002.2568453505.0000000003141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1785804571.00000257B89F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1833983505.0000028C80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1943157280.0000028BBED81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2107660814.0000021B55781000.00000004.00000800.00020000.00000000.sdmp, System32.exe, 00000012.00000002.2981784134.00000000027C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000001.00000002.1785804571.00000257B8C1A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1833983505.0000028C80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1943157280.0000028BBEFA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2107660814.0000021B559A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                Source: powershell.exe, 0000000B.00000002.2107660814.0000021B559A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, 0000000B.00000002.2273470371.0000021B6DBF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                Source: powershell.exe, 00000004.00000002.1904913024.0000028CFC1B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.cob
                Source: powershell.exe, 00000001.00000002.1785804571.00000257B89F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1833983505.0000028C80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1943157280.0000028BBED81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2107660814.0000021B55781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: powershell.exe, 0000000B.00000002.2244990860.0000021B657EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 0000000B.00000002.2244990860.0000021B657EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 0000000B.00000002.2244990860.0000021B657EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: Nova Mod Pack.exe, System32.exe.0.drString found in binary or memory: https://discord.gg/sU6Cv4MGev
                Source: powershell.exe, 0000000B.00000002.2107660814.0000021B559A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000004.00000002.1906050473.0000028CFC2A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.5
                Source: powershell.exe, 00000001.00000002.1801297927.00000257C8A61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1886402484.0000028C90072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2041393636.0000028BCEDF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2244990860.0000021B657EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                Operating System Destruction

                barindex
                Protects its processes via BreakOnTermination flag
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: 01 00 00 00 Jump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: 00 00 00 00 Jump to behavior

                System Summary

                barindex
                PE file contains section with special chars
                Source: Nova Mod Pack.exeStatic PE information: section name: q>"//S
                Source: Nova Mod Pack.exeStatic PE information: section name: q>"//S
                Source: System32.exe.0.drStatic PE information: section name: q>"//S
                Source: System32.exe.0.drStatic PE information: section name: q>"//S
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeCode function: 0_2_00007FFD9B93DA860_2_00007FFD9B93DA86
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeCode function: 0_2_00007FFD9B9451780_2_00007FFD9B945178
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeCode function: 0_2_00007FFD9B9308B90_2_00007FFD9B9308B9
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeCode function: 0_2_00007FFD9B93E8020_2_00007FFD9B93E802
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeCode function: 0_2_00007FFD9B93FF680_2_00007FFD9B93FF68
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeCode function: 0_2_00007FFD9B938E980_2_00007FFD9B938E98
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeCode function: 0_2_00007FFD9B9325980_2_00007FFD9B932598
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeCode function: 0_2_00007FFD9B937DC00_2_00007FFD9B937DC0
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeCode function: 0_2_00007FFD9B931F180_2_00007FFD9B931F18
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeCode function: 0_2_00007FFD9B9336E80_2_00007FFD9B9336E8
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeCode function: 0_2_00007FFD9B9376240_2_00007FFD9B937624
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9BA12E111_2_00007FFD9BA12E11
                Source: C:\Users\user\System32.exeCode function: 15_2_00007FFD9B9108B915_2_00007FFD9B9108B9
                Source: C:\Users\user\System32.exeCode function: 15_2_00007FFD9B911F1815_2_00007FFD9B911F18
                Source: C:\Users\user\System32.exeCode function: 15_2_00007FFD9B9136E815_2_00007FFD9B9136E8
                Source: C:\Users\user\System32.exeCode function: 16_2_00007FFD9B9108B916_2_00007FFD9B9108B9
                Source: C:\Users\user\System32.exeCode function: 16_2_00007FFD9B911F1816_2_00007FFD9B911F18
                Source: C:\Users\user\System32.exeCode function: 16_2_00007FFD9B9136E816_2_00007FFD9B9136E8
                Source: C:\Users\user\System32.exeCode function: 18_2_00007FFD9B93DA8818_2_00007FFD9B93DA88
                Source: C:\Users\user\System32.exeCode function: 18_2_00007FFD9B93B17618_2_00007FFD9B93B176
                Source: C:\Users\user\System32.exeCode function: 18_2_00007FFD9B9308B918_2_00007FFD9B9308B9
                Source: C:\Users\user\System32.exeCode function: 18_2_00007FFD9B93BF2218_2_00007FFD9B93BF22
                Source: C:\Users\user\System32.exeCode function: 18_2_00007FFD9B93721818_2_00007FFD9B937218
                Source: C:\Users\user\System32.exeCode function: 18_2_00007FFD9B931F1818_2_00007FFD9B931F18
                Source: C:\Users\user\System32.exeCode function: 18_2_00007FFD9B9336E818_2_00007FFD9B9336E8
                Source: C:\Users\user\System32.exeCode function: 26_2_00007FFD9B9108B926_2_00007FFD9B9108B9
                Source: C:\Users\user\System32.exeCode function: 26_2_00007FFD9B911F1826_2_00007FFD9B911F18
                Source: C:\Users\user\System32.exeCode function: 26_2_00007FFD9B9136E826_2_00007FFD9B9136E8
                Source: Nova Mod Pack.exe, 00000000.00000002.2575151329.0000000013148000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewalient.exe4 vs Nova Mod Pack.exe
                Source: Nova Mod Pack.exe, 00000000.00000000.1718764517.0000000000C6A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamewalient.exe4 vs Nova Mod Pack.exe
                Source: Nova Mod Pack.exe, 00000000.00000002.2585345705.000000001CB70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesc vs Nova Mod Pack.exe
                Source: Nova Mod Pack.exeBinary or memory string: OriginalFilenamewalient.exe4 vs Nova Mod Pack.exe
                Source: Nova Mod Pack.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Nova Mod Pack.exeStatic PE information: Section: q>"//S ZLIB complexity 1.0004714439655173
                Source: System32.exe.0.drStatic PE information: Section: q>"//S ZLIB complexity 1.0004714439655173
                Source: classification engineClassification label: mal100.troj.evad.winEXE@32/24@1/1
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeFile created: C:\Users\user\System32.exeJump to behavior
                Source: C:\Users\user\System32.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6288:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:932:120:WilError_03
                Source: C:\Users\user\System32.exeMutant created: \Sessions\1\BaseNamedObjects\XFfM62rWm2apQ38y
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5916:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6064:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1508:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5796:120:WilError_03
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp3B7C.tmp.bat""
                Source: Nova Mod Pack.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Nova Mod Pack.exeVirustotal: Detection: 50%
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeFile read: C:\Users\user\Desktop\Nova Mod Pack.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Nova Mod Pack.exe "C:\Users\user\Desktop\Nova Mod Pack.exe"
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Nova Mod Pack.exe'
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nova Mod Pack.exe'
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\System32.exe'
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System32.exe'
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System32" /tr "C:\Users\user\System32.exe"
                Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\System32.exe C:\Users\user\System32.exe
                Source: unknownProcess created: C:\Users\user\System32.exe "C:\Users\user\System32.exe"
                Source: unknownProcess created: C:\Users\user\System32.exe "C:\Users\user\System32.exe"
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /delete /f /tn "System32"
                Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp3B7C.tmp.bat""
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3
                Source: C:\Users\user\System32.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "System32" /tr "C:\Users\user\System32.exe"
                Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\System32.exe C:\Users\user\System32.exe
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Nova Mod Pack.exe'Jump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nova Mod Pack.exe'Jump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\System32.exe'Jump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System32.exe'Jump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System32" /tr "C:\Users\user\System32.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /delete /f /tn "System32"Jump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp3B7C.tmp.bat""Jump to behavior
                Source: C:\Users\user\System32.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "System32" /tr "C:\Users\user\System32.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: linkinfo.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: avicap32.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: msvfw32.dllJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                Source: C:\Users\user\System32.exeSection loaded: mscoree.dll
                Source: C:\Users\user\System32.exeSection loaded: apphelp.dll
                Source: C:\Users\user\System32.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\System32.exeSection loaded: version.dll
                Source: C:\Users\user\System32.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\System32.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\System32.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\System32.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\System32.exeSection loaded: sspicli.dll
                Source: C:\Users\user\System32.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\System32.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\System32.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\System32.exeSection loaded: mscoree.dll
                Source: C:\Users\user\System32.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\System32.exeSection loaded: version.dll
                Source: C:\Users\user\System32.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\System32.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\System32.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\System32.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\System32.exeSection loaded: sspicli.dll
                Source: C:\Users\user\System32.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\System32.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\System32.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\System32.exeSection loaded: mscoree.dll
                Source: C:\Users\user\System32.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\System32.exeSection loaded: version.dll
                Source: C:\Users\user\System32.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\System32.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\System32.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\System32.exeSection loaded: sspicli.dll
                Source: C:\Users\user\System32.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\System32.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\System32.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\System32.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\System32.exeSection loaded: wldp.dll
                Source: C:\Users\user\System32.exeSection loaded: propsys.dll
                Source: C:\Users\user\System32.exeSection loaded: profapi.dll
                Source: C:\Users\user\System32.exeSection loaded: edputil.dll
                Source: C:\Users\user\System32.exeSection loaded: urlmon.dll
                Source: C:\Users\user\System32.exeSection loaded: iertutil.dll
                Source: C:\Users\user\System32.exeSection loaded: srvcli.dll
                Source: C:\Users\user\System32.exeSection loaded: netutils.dll
                Source: C:\Users\user\System32.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Users\user\System32.exeSection loaded: wintypes.dll
                Source: C:\Users\user\System32.exeSection loaded: appresolver.dll
                Source: C:\Users\user\System32.exeSection loaded: bcp47langs.dll
                Source: C:\Users\user\System32.exeSection loaded: slc.dll
                Source: C:\Users\user\System32.exeSection loaded: userenv.dll
                Source: C:\Users\user\System32.exeSection loaded: sppc.dll
                Source: C:\Users\user\System32.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Users\user\System32.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Users\user\System32.exeSection loaded: sxs.dll
                Source: C:\Users\user\System32.exeSection loaded: mpr.dll
                Source: C:\Users\user\System32.exeSection loaded: scrrun.dll
                Source: C:\Users\user\System32.exeSection loaded: linkinfo.dll
                Source: C:\Users\user\System32.exeSection loaded: ntshrui.dll
                Source: C:\Users\user\System32.exeSection loaded: cscapi.dll
                Source: C:\Users\user\System32.exeSection loaded: mswsock.dll
                Source: C:\Users\user\System32.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\System32.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\System32.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\System32.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\user\System32.exeSection loaded: wbemcomn.dll
                Source: C:\Users\user\System32.exeSection loaded: amsi.dll
                Source: C:\Users\user\System32.exeSection loaded: avicap32.dll
                Source: C:\Users\user\System32.exeSection loaded: msvfw32.dll
                Source: C:\Users\user\System32.exeSection loaded: winmm.dll
                Source: C:\Users\user\System32.exeSection loaded: winmm.dll
                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                Source: C:\Windows\System32\timeout.exeSection loaded: version.dll
                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                Source: C:\Users\user\System32.exeSection loaded: mscoree.dll
                Source: C:\Users\user\System32.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\System32.exeSection loaded: version.dll
                Source: C:\Users\user\System32.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\System32.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\System32.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\System32.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\System32.exeSection loaded: sspicli.dll
                Source: C:\Users\user\System32.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\System32.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\System32.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
                Source: System32.lnk.0.drLNK file: ..\..\..\..\..\..\..\System32.exe
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: Nova Mod Pack.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Nova Mod Pack.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: initial sampleStatic PE information: section where entry point is pointing to: ffRTxOWi
                Source: Nova Mod Pack.exeStatic PE information: section name: q>"//S
                Source: Nova Mod Pack.exeStatic PE information: section name: q>"//S
                Source: Nova Mod Pack.exeStatic PE information: section name: ffRTxOWi
                Source: System32.exe.0.drStatic PE information: section name: q>"//S
                Source: System32.exe.0.drStatic PE information: section name: q>"//S
                Source: System32.exe.0.drStatic PE information: section name: ffRTxOWi
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeCode function: 0_2_00007FFD9B935BA8 pushad ; retf 9B82h0_2_00007FFD9B935BE1
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeCode function: 0_2_00007FFD9B943002 push esp; ret 0_2_00007FFD9B943003
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeCode function: 0_2_00007FFD9B942EE2 push ebp; ret 0_2_00007FFD9B942EE4
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B82D2A5 pushad ; iretd 1_2_00007FFD9B82D2A6
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B945074 pushad ; ret 1_2_00007FFD9B945083
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9BA12316 push 8B485F91h; iretd 1_2_00007FFD9BA1231B
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B81D2A5 pushad ; iretd 4_2_00007FFD9B81D2A6
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9BA02316 push 8B485F92h; iretd 4_2_00007FFD9BA0231B
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B81D2A5 pushad ; iretd 9_2_00007FFD9B81D2A6
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B93A9A7 push esp; retf 9_2_00007FFD9B93A9A8
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9BA02316 push 8B485F92h; iretd 9_2_00007FFD9BA0231B
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9BA01270 pushad ; retf 9_2_00007FFD9BA01271
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B80D2A5 pushad ; iretd 11_2_00007FFD9B80D2A6
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B9F2316 push 8B485F93h; iretd 11_2_00007FFD9B9F231B
                Source: Nova Mod Pack.exeStatic PE information: section name: q>"//S entropy: 7.995340952816379
                Source: Nova Mod Pack.exeStatic PE information: section name: .text entropy: 6.85022467714137
                Source: System32.exe.0.drStatic PE information: section name: q>"//S entropy: 7.995340952816379
                Source: System32.exe.0.drStatic PE information: section name: .text entropy: 6.85022467714137
                Source: Nova Mod Pack.exe, ClientSocket.csHigh entropy of concatenated method names: 'fmxMjyNnBqxZsbSVKjzYYAtioaKlPZIHDlllQeL', 'SSWLrpIhkyrmgFOFSpxjOByBIPwh', 'GeGxYggDIQZsCaqIvAYwFtBGCMqtvcCSArDtKOhyIc', 'yyQlBhTmoxKkn', 'ZVmPMiGogRlwXXGtzODjciMBPlBPnuP', 'qQLTVJVUDk', 'YZekVGVYWHeBQiLaAGQa', 'beggmNyQSJGRRNBKbGjswTzmoUKjIvnMkGWVYd', 'SwhdYxJZvkqzZHIoiFUSrcoixvTHlQGLXXq', 'oPBOEVpZrVnfBrOpelrPiZGDEcOEDEBcqNasegnvNoQBhO'
                Source: System32.exe.0.dr, ClientSocket.csHigh entropy of concatenated method names: 'fmxMjyNnBqxZsbSVKjzYYAtioaKlPZIHDlllQeL', 'SSWLrpIhkyrmgFOFSpxjOByBIPwh', 'GeGxYggDIQZsCaqIvAYwFtBGCMqtvcCSArDtKOhyIc', 'yyQlBhTmoxKkn', 'ZVmPMiGogRlwXXGtzODjciMBPlBPnuP', 'qQLTVJVUDk', 'YZekVGVYWHeBQiLaAGQa', 'beggmNyQSJGRRNBKbGjswTzmoUKjIvnMkGWVYd', 'SwhdYxJZvkqzZHIoiFUSrcoixvTHlQGLXXq', 'oPBOEVpZrVnfBrOpelrPiZGDEcOEDEBcqNasegnvNoQBhO'
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeFile created: C:\Users\user\System32.exeJump to dropped file
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeFile created: C:\Users\user\System32.exeJump to dropped file

                Boot Survival

                barindex
                Drops PE files to the user root directory
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeFile created: C:\Users\user\System32.exeJump to dropped file
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System32" /tr "C:\Users\user\System32.exe"
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.lnkJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.lnkJump to behavior
                Source: C:\Users\user\System32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.lnk
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System32Jump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System32Jump to behavior
                Source: C:\Users\user\System32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System32
                Source: C:\Users\user\System32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System32

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\System32.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\System32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeMemory allocated: 15B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeMemory allocated: 1B140000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\System32.exeMemory allocated: A40000 memory reserve | memory write watch
                Source: C:\Users\user\System32.exeMemory allocated: 1A6B0000 memory reserve | memory write watch
                Source: C:\Users\user\System32.exeMemory allocated: 2F60000 memory reserve | memory write watch
                Source: C:\Users\user\System32.exeMemory allocated: 1B260000 memory reserve | memory write watch
                Source: C:\Users\user\System32.exeMemory allocated: C80000 memory reserve | memory write watch
                Source: C:\Users\user\System32.exeMemory allocated: 1A7C0000 memory reserve | memory write watch
                Source: C:\Users\user\System32.exeMemory allocated: 760000 memory reserve | memory write watch
                Source: C:\Users\user\System32.exeMemory allocated: 1A620000 memory reserve | memory write watch
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\System32.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\System32.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\System32.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\System32.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeWindow / User API: threadDelayed 5412Jump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeWindow / User API: threadDelayed 4403Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5318Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4489Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6248Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3471Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6686Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2966Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7740
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1918
                Source: C:\Users\user\System32.exeWindow / User API: threadDelayed 6281
                Source: C:\Users\user\System32.exeWindow / User API: threadDelayed 3565
                Source: C:\Users\user\Desktop\Nova Mod Pack.exe TID: 5432Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5676Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2496Thread sleep count: 6248 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2496Thread sleep count: 3471 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7124Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1368Thread sleep count: 6686 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1368Thread sleep count: 2966 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2228Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5104Thread sleep count: 7740 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5324Thread sleep count: 1918 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1888Thread sleep time: -2767011611056431s >= -30000s
                Source: C:\Users\user\System32.exe TID: 4956Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\System32.exe TID: 3084Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\System32.exe TID: 736Thread sleep time: -14757395258967632s >= -30000s
                Source: C:\Users\user\System32.exe TID: 1016Thread sleep count: 6281 > 30
                Source: C:\Users\user\System32.exe TID: 1016Thread sleep count: 3565 > 30
                Source: C:\Users\user\System32.exe TID: 5288Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\System32.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Users\user\System32.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Users\user\System32.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Users\user\System32.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Users\user\System32.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\System32.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\System32.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\System32.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\System32.exeThread delayed: delay time: 922337203685477
                Source: System32.exe, 00000012.00000002.2987943138.000000001B660000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: Nova Mod Pack.exe, 00000000.00000002.2579065589.000000001BC17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: Nova Mod Pack.exe, 00000000.00000002.2563349884.00000000010E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}F
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Users\user\System32.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Nova Mod Pack.exe'
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\System32.exe'
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Nova Mod Pack.exe'Jump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\System32.exe'Jump to behavior
                Bypasses PowerShell execution policy
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Nova Mod Pack.exe'
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Nova Mod Pack.exe'Jump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nova Mod Pack.exe'Jump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\System32.exe'Jump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System32.exe'Jump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System32" /tr "C:\Users\user\System32.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /delete /f /tn "System32"Jump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp3B7C.tmp.bat""Jump to behavior
                Source: C:\Users\user\System32.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "System32" /tr "C:\Users\user\System32.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3
                Source: System32.exe, 00000012.00000002.2981784134.000000000281B000.00000004.00000800.00020000.00000000.sdmp, System32.exe, 00000012.00000002.2981784134.0000000002840000.00000004.00000800.00020000.00000000.sdmp, System32.exe, 00000012.00000002.2981784134.0000000002833000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
                Source: Nova Mod Pack.exe, 00000000.00000002.2568453505.0000000003141000.00000004.00000800.00020000.00000000.sdmp, System32.exe, 00000012.00000002.2981784134.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, System32.exe, 00000012.00000002.2981784134.000000000281B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: System32.exe, 00000012.00000002.2981784134.000000000281B000.00000004.00000800.00020000.00000000.sdmp, System32.exe, 00000012.00000002.2981784134.0000000002840000.00000004.00000800.00020000.00000000.sdmp, System32.exe, 00000012.00000002.2981784134.0000000002833000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                Source: System32.exe, 00000012.00000002.2981784134.000000000281B000.00000004.00000800.00020000.00000000.sdmp, System32.exe, 00000012.00000002.2981784134.0000000002840000.00000004.00000800.00020000.00000000.sdmp, System32.exe, 00000012.00000002.2981784134.0000000002833000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
                Source: System32.exe, 00000012.00000002.2981784134.0000000002840000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeQueries volume information: C:\Users\user\Desktop\Nova Mod Pack.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Users\user\System32.exeQueries volume information: C:\Users\user\System32.exe VolumeInformation
                Source: C:\Users\user\System32.exeQueries volume information: C:\Users\user\System32.exe VolumeInformation
                Source: C:\Users\user\System32.exeQueries volume information: C:\Users\user\System32.exe VolumeInformation
                Source: C:\Users\user\System32.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\System32.exeQueries volume information: C:\Users\user\System32.exe VolumeInformation
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: System32.exe, 00000012.00000002.2987943138.000000001B6DB000.00000004.00000020.00020000.00000000.sdmp, System32.exe, 00000012.00000002.2987943138.000000001B660000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\Nova Mod Pack.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\System32.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected XWorm
                Source: Yara matchFile source: 00000000.00000002.2568453505.0000000003196000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2981784134.000000000281B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Nova Mod Pack.exe PID: 6924, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: System32.exe PID: 3960, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected XWorm
                Source: Yara matchFile source: 00000000.00000002.2568453505.0000000003196000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2981784134.000000000281B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Nova Mod Pack.exe PID: 6924, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: System32.exe PID: 3960, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information1
                Scripting                		Valid Accounts11
                Windows Management Instrumentation                		1
                Scheduled Task/Job                		12
                Process Injection                		111
                Masquerading                		OS Credential Dumping221
                Security Software Discovery                		Remote Services1
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Scheduled Task/Job                		1
                Scripting                		1
                Scheduled Task/Job                		11
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop ProtocolData from Removable Media1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                PowerShell                		21
                Registry Run Keys / Startup Folder                		21
                Registry Run Keys / Startup Folder                		131
                Virtualization/Sandbox Evasion                		Security Account Manager131
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCron1
                DLL Side-Loading                		1
                DLL Side-Loading                		12
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture11
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                Obfuscated Files or Information                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                Software Packing                		Cached Domain Credentials13
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                DLL Side-Loading                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1468055 Sample: Nova Mod Pack.exe Startdate: 05/07/2024 Architecture: WINDOWS Score: 100 50 pdf-standards.gl.at.ply.gg 2->50 54 Snort IDS alert for network traffic 2->54 56 Found malware configuration 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 13 other signatures 2->60 8 Nova Mod Pack.exe 1 9 2->8         started        13 System32.exe 2->13         started        15 System32.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 52 pdf-standards.gl.at.ply.gg 147.185.221.20, 49738, 49739, 59683 SALSGIVERUS United States 8->52 46 C:\Users\user\System32.exe, PE32 8->46 dropped 48 C:\Users\user\...48ova Mod Pack.exe.log, CSV 8->48 dropped 64 Protects its processes via BreakOnTermination flag 8->64 66 Adds a directory exclusion to Windows Defender 8->66 19 powershell.exe 23 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 23 8->24         started        28 4 other processes 8->28 68 Multi AV Scanner detection for dropped file 13->68 70 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->70 72 Machine Learning detection for dropped file 13->72 26 schtasks.exe 15->26         started        file6 signatures7 process8 signatures9 62 Loading BitLocker PowerShell Module 19->62 30 conhost.exe 19->30         started        32 conhost.exe 22->32         started        34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        38 conhost.exe 28->38         started        40 conhost.exe 28->40         started        42 conhost.exe 28->42         started        44 2 other processes 28->44 process10

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Nova Mod Pack.exe51%VirustotalBrowse
                Nova Mod Pack.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\System32.exe100%Joe Sandbox ML
                C:\Users\user\System32.exe39%ReversingLabsWin32.Trojan.Generic
                C:\Users\user\System32.exe51%VirustotalBrowse

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                pdf-standards.gl.at.ply.gg3%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://nuget.org/NuGet.exe0%URL Reputationsafe
                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
                http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://nuget.org/nuget.exe0%URL Reputationsafe
                https://contoso.com/License0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                https://aka.ms/pscore680%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                https://discord.gg/sU6Cv4MGev0%Avira URL Cloudsafe
                http://schemas.mic0%Avira URL Cloudsafe
                http://www.microsoft.0%Avira URL Cloudsafe
                https://github.com/Pester/Pester0%Avira URL Cloudsafe
                https://ion=v4.50%Avira URL Cloudsafe
                http://www.microsoft.cob0%Avira URL Cloudsafe
                pdf-standards.gl.at.ply.gg0%Avira URL Cloudsafe
                http://crl.micros0%Avira URL Cloudsafe
                https://github.com/Pester/Pester1%VirustotalBrowse
                https://discord.gg/sU6Cv4MGev1%VirustotalBrowse
                http://www.microsoft.2%VirustotalBrowse
                pdf-standards.gl.at.ply.gg3%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                pdf-standards.gl.at.ply.gg
                		147.185.221.20
                		truetrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                pdf-standards.gl.at.ply.ggtrue
                • 3%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1801297927.00000257C8A61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1886402484.0000028C90072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2041393636.0000028BCEDF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2244990860.0000021B657EF000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://discord.gg/sU6Cv4MGevNova Mod Pack.exe, System32.exe.0.drfalse
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.micpowershell.exe, 00000004.00000002.1904913024.0000028CFC1B3000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.2107660814.0000021B559A9000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1785804571.00000257B8C1A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1833983505.0000028C80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1943157280.0000028BBEFA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2107660814.0000021B559A9000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.2107660814.0000021B559A9000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://ion=v4.5powershell.exe, 00000004.00000002.1906050473.0000028CFC2A3000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1785804571.00000257B8C1A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1833983505.0000028C80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1943157280.0000028BBEFA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2107660814.0000021B559A9000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/powershell.exe, 0000000B.00000002.2244990860.0000021B657EF000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1801297927.00000257C8A61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1886402484.0000028C90072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2041393636.0000028BCEDF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2244990860.0000021B657EF000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2244990860.0000021B657EF000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2244990860.0000021B657EF000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.microsoft.powershell.exe, 0000000B.00000002.2273470371.0000021B6DBF3000.00000004.00000020.00020000.00000000.sdmpfalse
                • 2%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://aka.ms/pscore68powershell.exe, 00000001.00000002.1785804571.00000257B89F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1833983505.0000028C80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1943157280.0000028BBED81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2107660814.0000021B55781000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNova Mod Pack.exe, 00000000.00000002.2568453505.0000000003141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1785804571.00000257B89F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1833983505.0000028C80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1943157280.0000028BBED81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2107660814.0000021B55781000.00000004.00000800.00020000.00000000.sdmp, System32.exe, 00000012.00000002.2981784134.00000000027C1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.2107660814.0000021B559A9000.00000004.00000800.00020000.00000000.sdmpfalse
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.microsoft.cobpowershell.exe, 00000004.00000002.1904913024.0000028CFC1B3000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://crl.microspowershell.exe, 00000001.00000002.1807733440.00000257D0FC0000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                147.185.221.20
                		pdf-standards.gl.at.ply.ggUnited States
                		12087SALSGIVERUStrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1468055
                Start date and time:2024-07-05 09:32:33 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 6m 54s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:27
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:Nova Mod Pack.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@32/24@1/1
                EGA Information:
                • Successful, ratio: 55.6%
                HCA Information:
                • Successful, ratio: 99%
                • Number of executed functions: 72
                • Number of non-executed functions: 6
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target powershell.exe, PID 1004 because it is empty
                • Execution Graph export aborted for target powershell.exe, PID 2564 because it is empty
                • Execution Graph export aborted for target powershell.exe, PID 6164 because it is empty
                • Execution Graph export aborted for target powershell.exe, PID 6208 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtCreateKey calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                03:33:34API Interceptor50x Sleep call for process: powershell.exe modified
                03:34:36API Interceptor8x Sleep call for process: Nova Mod Pack.exe modified
                03:34:51API Interceptor33x Sleep call for process: System32.exe modified
                08:34:29Task SchedulerRun new task: System32 path: C:\Users\user\System32.exe
                08:34:31AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run System32 C:\Users\user\System32.exe
                08:34:39AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run System32 C:\Users\user\System32.exe
                08:34:48AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.lnk

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                147.185.221.20Nova Launcher V2.exeGet hashmaliciousXWormBrowse
                  x433.exeGet hashmaliciousXWormBrowse
                    fg}.exeGet hashmaliciousXWormBrowse
                      build.exeGet hashmaliciousRedLineBrowse
                        Ph58Rkdxor.exeGet hashmaliciousXWormBrowse
                          4kvADqDmZ4.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                            Discord Tools.exeGet hashmaliciousXWormBrowse
                              Image logger beta.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                fart.exeGet hashmaliciousAsyncRAT, DcRat, Quasar, XWormBrowse
                                  fart.exeGet hashmaliciousAsyncRAT, DcRat, Quasar, XWormBrowse

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    SALSGIVERUSAPPoKkkk8h.exeGet hashmaliciousUnknownBrowse
                                    • 147.185.221.17
                                    Nova Launcher V2.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.20
                                    ptKNiAaGus.exeGet hashmaliciousUnknownBrowse
                                    • 147.185.221.18
                                    beK7HmoXro.exeGet hashmaliciousUnknownBrowse
                                    • 147.185.221.18
                                    ocuALPV2c7.exeGet hashmaliciousNjratBrowse
                                    • 147.185.221.19
                                    x433.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.20
                                    fg}.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.20
                                    build.exeGet hashmaliciousRedLineBrowse
                                    • 147.185.221.20
                                    bJLd0SUHfj.exeGet hashmaliciousUnknownBrowse
                                    • 147.185.221.18
                                    PGjIoaqfQY.exeGet hashmaliciousUnknownBrowse
                                    • 147.185.221.18

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Nova Mod Pack.exe.log

                                    Download File
                                    Process:C:\Users\user\Desktop\Nova Mod Pack.exe
                                    File Type:CSV text
                                    Category:dropped
                                    Size (bytes):1727
                                    Entropy (8bit):5.3718223239563105
                                    Encrypted:false
                                    SSDEEP:48:MxHKQwYHKGSI6o6+vxp3/ell1qHGIs0HKCtHTHhAHKKkhHNpv:iqbYqGSI6o9Zp/ellwmj0qCtzHeqKkhb
                                    MD5:B29117AF77B80C784A548D17E964319B
                                    SHA1:A1C2BFE39743440103E436CA1497F3805752B0EA
                                    SHA-256:023B81706552427A23E3A8CAC01F267277DC566675778757A8172FAB8D186816
                                    SHA-512:AA383061BB616E7A3E088B8E2C8698A2155C0E365D5FD169E11E552E7A9C4608CB16F3DF63FC08AAC598070C48B2E16AB3B8EA0943BB40F98597A612B27A80AA
                                    Malicious:true
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_6

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System32.exe.log

                                    Download File
                                    Process:C:\Users\user\System32.exe
                                    File Type:CSV text
                                    Category:dropped
                                    Size (bytes):654
                                    Entropy (8bit):5.380476433908377
                                    Encrypted:false
                                    SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                    MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                    SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                    SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                    SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                    Malicious:false
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:modified
                                    Size (bytes):64
                                    Entropy (8bit):0.34726597513537405
                                    Encrypted:false
                                    SSDEEP:3:Nlll:Nll
                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                    Malicious:false
                                    Preview:@...e...........................................................

                                    C:\Users\user\AppData\Local\Temp\Log.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\Nova Mod Pack.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):41
                                    Entropy (8bit):3.7195394315431693
                                    Encrypted:false
                                    SSDEEP:3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
                                    MD5:0DB526D48DAB0E640663E4DC0EFE82BA
                                    SHA1:17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
                                    SHA-256:934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
                                    SHA-512:FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
                                    Malicious:false
                                    Preview:....### explorer ###..[WIN]r[WIN]r[WIN]r

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1j4yimxj.jst.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1rqokafh.4i1.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1zadr2tq.mkh.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2uo1srqk.hi3.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4tenjwns.blx.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ch5540p.4i5.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g1vrj2ce.xbd.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gqwjntzp.xyz.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gsoqp3hx.dwb.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jcbf3edo.q11.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lsm4rzfq.y0l.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_orhqjl2t.lrk.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rsvszcxp.d2g.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uj5ezubt.gbq.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ydnknbyb.bcg.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ydxb40ij.rt3.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\tmp3B7C.tmp.bat

                                    Download File
                                    Process:C:\Users\user\Desktop\Nova Mod Pack.exe
                                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):154
                                    Entropy (8bit):5.031026496571461
                                    Encrypted:false
                                    SSDEEP:3:mKDDCMNqTtv3Dt+WfHvhs9rIsoaPvTAQDwU1hGDt+kiE2J5xAInTRI8Ho5ZPy:hWKqTtLwQO9MJaPvT9DNewkn23fTdQk
                                    MD5:A61D3C7C6CE1CFD638A5330E44D78EB7
                                    SHA1:1663377DA48F38050FA6C91814975E15E623DDA3
                                    SHA-256:B495C1D3E81F255F039AE27F93F2FED7C1775938D01C66B7E07B48646EF0BDC2
                                    SHA-512:DF821BD58517394F79766192CEDB119D5CF5A92526841B0517CAD1FB1A97B575988E5B2023C16D3483B1881E122F286F01F076A11D010FB22C1EAE9109D3E01F
                                    Malicious:false
                                    Preview:@echo off..timeout 3 > NUL..CD C:\Users\user\Desktop..DEL "Nova Mod Pack.exe" /f /q..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp3B7C.tmp.bat" /f /q..

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.lnk

                                    Download File
                                    Process:C:\Users\user\Desktop\Nova Mod Pack.exe
                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Jul 5 06:34:28 2024, mtime=Fri Jul 5 06:34:48 2024, atime=Fri Jul 5 06:34:28 2024, length=124416, window=hide
                                    Category:dropped
                                    Size (bytes):780
                                    Entropy (8bit):5.070612851065299
                                    Encrypted:false
                                    SSDEEP:12:87l/s2k4uKl7mSs2CqZI7lNjAUFfTlwgUNwuL3qLUpypW44t2YZ/elFlSJmZmV:8h/9x7V7ZS7lpAUFblw7X8TqyFm
                                    MD5:7358F6B029CF6EC94E118015A4F5B015
                                    SHA1:61EA1760984CEDD347D0BB9F818B55426748B093
                                    SHA-256:E289C3F8C3AC8EBC6C5FDF8EDE188FAC8EDFD1B71F40061460317EBACB46E936
                                    SHA-512:4A019AD218285CBA24E0CBF5EC1A3072EA7E6BF385F54960BD46F37BB0E037F0B25372BB57BDAD609732D9007BAE3D1D6C8BDDAD55B8847EAE167F81595030E6
                                    Malicious:false
                                    Preview:L..................F.... .....m......Q......m..............................:..DG..Yr?.D..U..k0.&...&......vk.v......m.....O^........t.".CFSF..2......XO< .System32.exe....t.Y^...H.g.3..(.....gVA.G..k...J.......XO<.XO<....L.....................k.!.S.y.s.t.e.m.3.2...e.x.e...H...J...............-.......I...................C:\Users\user\System32.exe..!.....\.....\.....\.....\.....\.....\.....\.S.y.s.t.e.m.3.2...e.x.e.............:...........|....I.J.H..K..:...`.......X.......980108...........hT..CrF.f4... .....:...,.......hT..CrF.f4... .....:...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                    C:\Users\user\System32.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\Nova Mod Pack.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):124416
                                    Entropy (8bit):7.260208712661374
                                    Encrypted:false
                                    SSDEEP:3072:0ojAQkj90n5EIrHshi+LFUWHnGWdw8OkG2Li0HbovOm:YjWnSeGisFXnJw8Ziib
                                    MD5:5C76D15A7D3F57F26EDC494BD9DB318B
                                    SHA1:CFA089D8D7E9FDE67B6CB85827D33431B2D80066
                                    SHA-256:AF872E954905DBFEB165DA42D722889A7DFC4B84E88B52C9ABC9DE18A1A9D74F
                                    SHA-512:3D7A621DCB56A8D8DED08E49C34C77071BCB8E8F408ACD2EC9C00FF887342D1E3BE935F3AD56B33EF7A96D0D85E1E36B6CCCC9498A2B0FE96DAB7B5D5747C1FB
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\System32.exe, Author: Joe Security
                                    Antivirus:
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 39%
                                    • Antivirus: Virustotal, Detection: 51%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...]..f.................~...d.......@....... ....@.. ....................................@.................................`...K.... .......................`.......................................................@..................H............q>."//S..... ......................@....q>."//S............................@....text....z.......|...`.............. ..`.rsrc........ ......................@..@ffRTxOWi.....@...................... ..`.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                    \Device\Null

                                    Download File
                                    Process:C:\Windows\System32\timeout.exe
                                    File Type:ASCII text, with CRLF line terminators, with overstriking
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.41440934524794
                                    Encrypted:false
                                    SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                                    MD5:3DD7DD37C304E70A7316FE43B69F421F
                                    SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                                    SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                                    SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                                    Malicious:false
                                    Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):7.260208712661374
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                    • Win32 Executable (generic) a (10002005/4) 49.96%
                                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    • DOS Executable Generic (2002/1) 0.01%
                                    File name:Nova Mod Pack.exe
                                    File size:124'416 bytes
                                    MD5:5c76d15a7d3f57f26edc494bd9db318b
                                    SHA1:cfa089d8d7e9fde67b6cb85827d33431b2d80066
                                    SHA256:af872e954905dbfeb165da42d722889a7dfc4b84e88b52c9abc9de18a1a9d74f
                                    SHA512:3d7a621dcb56a8d8ded08e49c34c77071bcb8e8f408acd2ec9c00ff887342d1e3be935f3ad56b33ef7a96d0d85e1e36b6cccc9498a2b0fe96dab7b5d5747c1fb
                                    SSDEEP:3072:0ojAQkj90n5EIrHshi+LFUWHnGWdw8OkG2Li0HbovOm:YjWnSeGisFXnJw8Ziib
                                    TLSH:40C3AE05778AC7A2C2AE5FB299A2E1144638F54B4F12DB5F3CC56BDC3EA93EC06045D2
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...]..f.................~...d.......@....... ....@.. ....................................@................................

                                    File Icon

                                    Icon Hash:90cececece8e8eb0

                                    Static PE Info

                                    General

                                    Entrypoint:0x42400a
                                    Entrypoint Section:ffRTxOWi
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x6687085D [Thu Jul 4 20:38:53 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00424000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1a5600x4b.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000x4ce.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x260000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x240000x8ffRTxOWi
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x1a0000x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    q>"//S0x20000xac8c0xae0028bf4165eda54cf2ec5910b516aabddbFalse0.5344154094827587data6.127066800406688IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    q>"//S0xe0000xac8c0xae0005e341d8d2e1d98857a904ae13fa6d57False1.0004714439655173data7.995340952816379IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .text0x1a0000x7aac0x7c004066ecca1f270fbe101a29e51ca53a42False0.687468497983871data6.85022467714137IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0x220000x4ce0x600c5f83f20b37a66a14e12f64022d1e378False0.3723958333333333data3.7174080440433235IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    ffRTxOWi0x240000x100x200b91ad4c799716ff64ef3e608d626ac60False0.044921875data0.14263576814887827IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .reloc0x260000xc0x2003418ed3940fad3d2428cc0b4f357943bFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_VERSION0x220a00x244data0.4706896551724138
                                    RT_MANIFEST0x222e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Network Behavior

                                    Snort IDS Alerts

                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                    07/05/24-09:34:48.020705TCP2852923ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)4973859683192.168.2.4147.185.221.20
                                    07/05/24-09:35:38.775753TCP2852923ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)4973959683192.168.2.4147.185.221.20
                                    07/05/24-09:35:38.774129TCP2852870ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes5968349739147.185.221.20192.168.2.4
                                    07/05/24-09:34:47.842512TCP2855924ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound4973859683192.168.2.4147.185.221.20
                                    07/05/24-09:35:19.341978TCP2852874ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M25968349739147.185.221.20192.168.2.4
                                    07/05/24-09:34:51.952855TCP2852870ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes5968349738147.185.221.20192.168.2.4
                                    07/05/24-09:34:49.355900TCP2852874ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M25968349738147.185.221.20192.168.2.4

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jul 5, 2024 09:34:34.023957968 CEST4973859683192.168.2.4147.185.221.20
                                    Jul 5, 2024 09:34:34.028884888 CEST5968349738147.185.221.20192.168.2.4
                                    Jul 5, 2024 09:34:34.029804945 CEST4973859683192.168.2.4147.185.221.20
                                    Jul 5, 2024 09:34:34.149885893 CEST4973859683192.168.2.4147.185.221.20
                                    Jul 5, 2024 09:34:34.154824972 CEST5968349738147.185.221.20192.168.2.4
                                    Jul 5, 2024 09:34:47.842511892 CEST4973859683192.168.2.4147.185.221.20
                                    Jul 5, 2024 09:34:47.847477913 CEST5968349738147.185.221.20192.168.2.4
                                    Jul 5, 2024 09:34:47.984044075 CEST5968349738147.185.221.20192.168.2.4
                                    Jul 5, 2024 09:34:48.020704985 CEST4973859683192.168.2.4147.185.221.20
                                    Jul 5, 2024 09:34:48.025628090 CEST5968349738147.185.221.20192.168.2.4
                                    Jul 5, 2024 09:34:49.355900049 CEST5968349738147.185.221.20192.168.2.4
                                    Jul 5, 2024 09:34:49.400502920 CEST4973859683192.168.2.4147.185.221.20
                                    Jul 5, 2024 09:34:51.952855110 CEST5968349738147.185.221.20192.168.2.4
                                    Jul 5, 2024 09:34:51.994224072 CEST4973859683192.168.2.4147.185.221.20
                                    Jul 5, 2024 09:34:52.023865938 CEST4973859683192.168.2.4147.185.221.20
                                    Jul 5, 2024 09:34:53.055664062 CEST4973959683192.168.2.4147.185.221.20
                                    Jul 5, 2024 09:34:53.060734987 CEST5968349739147.185.221.20192.168.2.4
                                    Jul 5, 2024 09:34:53.060816050 CEST4973959683192.168.2.4147.185.221.20
                                    Jul 5, 2024 09:34:53.184518099 CEST4973959683192.168.2.4147.185.221.20
                                    Jul 5, 2024 09:34:53.189553022 CEST5968349739147.185.221.20192.168.2.4
                                    Jul 5, 2024 09:35:03.422676086 CEST4973959683192.168.2.4147.185.221.20
                                    Jul 5, 2024 09:35:03.427588940 CEST5968349739147.185.221.20192.168.2.4
                                    Jul 5, 2024 09:35:03.696417093 CEST5968349739147.185.221.20192.168.2.4
                                    Jul 5, 2024 09:35:03.744286060 CEST4973959683192.168.2.4147.185.221.20
                                    Jul 5, 2024 09:35:03.744652987 CEST4973959683192.168.2.4147.185.221.20
                                    Jul 5, 2024 09:35:03.749402046 CEST5968349739147.185.221.20192.168.2.4
                                    Jul 5, 2024 09:35:13.650829077 CEST4973959683192.168.2.4147.185.221.20
                                    Jul 5, 2024 09:35:13.656096935 CEST5968349739147.185.221.20192.168.2.4
                                    Jul 5, 2024 09:35:13.796789885 CEST5968349739147.185.221.20192.168.2.4
                                    Jul 5, 2024 09:35:13.799139977 CEST4973959683192.168.2.4147.185.221.20
                                    Jul 5, 2024 09:35:13.804565907 CEST5968349739147.185.221.20192.168.2.4
                                    Jul 5, 2024 09:35:19.341978073 CEST5968349739147.185.221.20192.168.2.4
                                    Jul 5, 2024 09:35:19.384957075 CEST4973959683192.168.2.4147.185.221.20
                                    Jul 5, 2024 09:35:23.885225058 CEST4973959683192.168.2.4147.185.221.20
                                    Jul 5, 2024 09:35:23.890144110 CEST5968349739147.185.221.20192.168.2.4
                                    Jul 5, 2024 09:35:24.180840969 CEST5968349739147.185.221.20192.168.2.4
                                    Jul 5, 2024 09:35:24.182624102 CEST4973959683192.168.2.4147.185.221.20
                                    Jul 5, 2024 09:35:24.187505007 CEST5968349739147.185.221.20192.168.2.4
                                    Jul 5, 2024 09:35:34.119652033 CEST4973959683192.168.2.4147.185.221.20
                                    Jul 5, 2024 09:35:34.124634981 CEST5968349739147.185.221.20192.168.2.4
                                    Jul 5, 2024 09:35:34.258181095 CEST5968349739147.185.221.20192.168.2.4
                                    Jul 5, 2024 09:35:34.272618055 CEST4973959683192.168.2.4147.185.221.20
                                    Jul 5, 2024 09:35:34.277581930 CEST5968349739147.185.221.20192.168.2.4
                                    Jul 5, 2024 09:35:38.635209084 CEST4973959683192.168.2.4147.185.221.20
                                    Jul 5, 2024 09:35:38.640281916 CEST5968349739147.185.221.20192.168.2.4
                                    Jul 5, 2024 09:35:38.774128914 CEST5968349739147.185.221.20192.168.2.4
                                    Jul 5, 2024 09:35:38.775753021 CEST4973959683192.168.2.4147.185.221.20
                                    Jul 5, 2024 09:35:38.780617952 CEST5968349739147.185.221.20192.168.2.4

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jul 5, 2024 09:34:33.986721039 CEST5764853192.168.2.41.1.1.1
                                    Jul 5, 2024 09:34:34.017565012 CEST53576481.1.1.1192.168.2.4

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Jul 5, 2024 09:34:33.986721039 CEST192.168.2.41.1.1.10x8419Standard query (0)pdf-standards.gl.at.ply.ggA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Jul 5, 2024 09:34:34.017565012 CEST1.1.1.1192.168.2.40x8419No error (0)pdf-standards.gl.at.ply.gg147.185.221.20A (IP address)IN (0x0001)false

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:03:33:29
                                    Start date:05/07/2024
                                    Path:C:\Users\user\Desktop\Nova Mod Pack.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\Desktop\Nova Mod Pack.exe"
                                    Imagebase:0xc50000
                                    File size:124'416 bytes
                                    MD5 hash:5C76D15A7D3F57F26EDC494BD9DB318B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2568453505.0000000003196000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:1
                                    Start time:03:33:33
                                    Start date:05/07/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Nova Mod Pack.exe'
                                    Imagebase:0x7ff788560000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:03:33:33
                                    Start date:05/07/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:03:33:39
                                    Start date:05/07/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nova Mod Pack.exe'
                                    Imagebase:0x7ff7699e0000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:03:33:39
                                    Start date:05/07/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:03:33:49
                                    Start date:05/07/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\System32.exe'
                                    Imagebase:0x7ff788560000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:10
                                    Start time:03:33:49
                                    Start date:05/07/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:11
                                    Start time:03:34:05
                                    Start date:05/07/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System32.exe'
                                    Imagebase:0x7ff788560000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:12
                                    Start time:03:34:05
                                    Start date:05/07/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:13
                                    Start time:03:34:28
                                    Start date:05/07/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System32" /tr "C:\Users\user\System32.exe"
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:14
                                    Start time:03:34:28
                                    Start date:05/07/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:15
                                    Start time:03:34:29
                                    Start date:05/07/2024
                                    Path:C:\Users\user\System32.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Users\user\System32.exe
                                    Imagebase:0x4e0000
                                    File size:124'416 bytes
                                    MD5 hash:5C76D15A7D3F57F26EDC494BD9DB318B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\System32.exe, Author: Joe Security
                                    Antivirus matches:
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 39%, ReversingLabs
                                    • Detection: 51%, Virustotal, Browse
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:16
                                    Start time:03:34:39
                                    Start date:05/07/2024
                                    Path:C:\Users\user\System32.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\System32.exe"
                                    Imagebase:0xe50000
                                    File size:124'416 bytes
                                    MD5 hash:5C76D15A7D3F57F26EDC494BD9DB318B
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:18
                                    Start time:03:34:47
                                    Start date:05/07/2024
                                    Path:C:\Users\user\System32.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\System32.exe"
                                    Imagebase:0x520000
                                    File size:124'416 bytes
                                    MD5 hash:5C76D15A7D3F57F26EDC494BD9DB318B
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000012.00000002.2981784134.000000000281B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:19
                                    Start time:03:34:50
                                    Start date:05/07/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\schtasks.exe" /delete /f /tn "System32"
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:20
                                    Start time:03:34:50
                                    Start date:05/07/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:21
                                    Start time:03:34:50
                                    Start date:05/07/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp3B7C.tmp.bat""
                                    Imagebase:0x7ff7bbd10000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:22
                                    Start time:03:34:50
                                    Start date:05/07/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:23
                                    Start time:03:34:50
                                    Start date:05/07/2024
                                    Path:C:\Windows\System32\timeout.exe
                                    Wow64 process (32bit):false
                                    Commandline:timeout 3
                                    Imagebase:0x7ff6dac10000
                                    File size:32'768 bytes
                                    MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:24
                                    Start time:03:34:51
                                    Start date:05/07/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "System32" /tr "C:\Users\user\System32.exe"
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:25
                                    Start time:03:34:51
                                    Start date:05/07/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:26
                                    Start time:03:35:01
                                    Start date:05/07/2024
                                    Path:C:\Users\user\System32.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Users\user\System32.exe
                                    Imagebase:0x210000
                                    File size:124'416 bytes
                                    MD5 hash:5C76D15A7D3F57F26EDC494BD9DB318B
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:7.6%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:16.7%
                                      Total number of Nodes:18
                                      Total number of Limit Nodes:0
                                      execution_graph 12327 7ffd9b935123 12328 7ffd9b93513f RtlSetProcessIsCritical 12327->12328 12330 7ffd9b935212 12328->12330 12331 7ffd9b930ecc 12332 7ffd9b930eef VirtualProtect 12331->12332 12334 7ffd9b930f91 12332->12334 12343 7ffd9b9308b9 12344 7ffd9b9308cf 12343->12344 12344->12344 12346 7ffd9b930d2b 12344->12346 12347 7ffd9b930520 12344->12347 12348 7ffd9b930529 VirtualProtect 12347->12348 12350 7ffd9b931091 12348->12350 12350->12346 12335 7ffd9b935bda 12336 7ffd9b935bdf 12335->12336 12339 7ffd9b935808 12336->12339 12338 7ffd9b935c3b 12340 7ffd9b935811 SetWindowsHookExW 12339->12340 12342 7ffd9b935ec1 12340->12342 12342->12338

                                      Executed Functions

                                      Function 00007FFD9B9308B9 Relevance: 1.9, Strings: 1, Instructions: 662COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 31 7ffd9b9308b9-7ffd9b930923 36 7ffd9b93093f-7ffd9b930942 31->36 37 7ffd9b930925-7ffd9b93092c 31->37 38 7ffd9b930944-7ffd9b930a0c 36->38 39 7ffd9b930932-7ffd9b93093d 37->39 40 7ffd9b930ebb-7ffd9b930ec7 37->40 53 7ffd9b930a0e-7ffd9b930a26 38->53 54 7ffd9b930a32-7ffd9b930a3c 38->54 39->38 55 7ffd9b930a78-7ffd9b930a7b 53->55 56 7ffd9b930a28-7ffd9b930a2a 53->56 57 7ffd9b930b30-7ffd9b930b76 54->57 61 7ffd9b930a7d-7ffd9b930a83 55->61 62 7ffd9b930a8b-7ffd9b930a9e 55->62 58 7ffd9b930a41-7ffd9b930a42 56->58 59 7ffd9b930a2c-7ffd9b930a30 56->59 78 7ffd9b930c15-7ffd9b930c74 57->78 79 7ffd9b930b7c-7ffd9b930bdd 57->79 63 7ffd9b930a45-7ffd9b930a4e 58->63 59->63 64 7ffd9b930aa0-7ffd9b930aa1 61->64 65 7ffd9b930a85-7ffd9b930a89 61->65 66 7ffd9b930b1a-7ffd9b930b2a 62->66 70 7ffd9b930a50-7ffd9b930a53 63->70 71 7ffd9b930a55-7ffd9b930a56 63->71 67 7ffd9b930aa4-7ffd9b930abd 64->67 65->67 66->57 68 7ffd9b930be4-7ffd9b930bf2 66->68 72 7ffd9b930ac3-7ffd9b930b14 67->72 73 7ffd9b930c06-7ffd9b930c10 67->73 68->53 75 7ffd9b930a59-7ffd9b930a73 70->75 71->75 72->66 76 7ffd9b930bf7-7ffd9b930c01 72->76 73->66 75->66 76->72 78->78 80 7ffd9b930c76-7ffd9b930d30 call 7ffd9b930520 78->80 79->79 81 7ffd9b930bdf 79->81 84 7ffd9b930d43-7ffd9b930d4a 80->84 85 7ffd9b930d32-7ffd9b930d42 80->85 81->80 86 7ffd9b930d93-7ffd9b930de6 call 7ffd9b930530 84->86 87 7ffd9b930d4c-7ffd9b930d4d 84->87 93 7ffd9b930deb-7ffd9b930e5d call 7ffd9b930530 * 2 86->93 88 7ffd9b930d50-7ffd9b930d5b 87->88 88->40 89 7ffd9b930d61-7ffd9b930d91 88->89 89->86 89->88 98 7ffd9b930e5f-7ffd9b930ea8 call 7ffd9b930530 93->98 99 7ffd9b930eaa-7ffd9b930eba 93->99 98->99
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2587065194.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b930000_Nova Mod Pack.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: @
                                      • API String ID: 0-2766056989
                                      • Opcode ID: cd9aa3142cc70ccf1420aa5f4ffc13a0420f3cbae44b602c1a0d6daca9443c3d
                                      • Instruction ID: e443d36e63e8ebb714fc3d3948ea87ef244c09efdeee43da3ec36756e34d3262
                                      • Opcode Fuzzy Hash: cd9aa3142cc70ccf1420aa5f4ffc13a0420f3cbae44b602c1a0d6daca9443c3d
                                      • Instruction Fuzzy Hash: 4F22F0706287498FD758DF08C891A69B7E1FF98700F5146BDD89AC72A6DB34F802CB81
                                      Function 00007FFD9B938E98 Relevance: 1.6, Strings: 1, Instructions: 308COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2587065194.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b930000_Nova Mod Pack.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ,
                                      • API String ID: 0-3772416878
                                      • Opcode ID: 23091519a3b477151dad35bb8b0d5be44521cde93c40084d9c9992d1d89c67bf
                                      • Instruction ID: f03690c6604ba6ed456dabe3c75a8b4743ca6f4c595e213915ab2faebf4528d9
                                      • Opcode Fuzzy Hash: 23091519a3b477151dad35bb8b0d5be44521cde93c40084d9c9992d1d89c67bf
                                      • Instruction Fuzzy Hash: 3FB14631A0E7C64FD707D77888656A47FE1EF47320B1902EAD085CB1E7DA68A806C791
                                      Function 00007FFD9B932598 Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2587065194.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b930000_Nova Mod Pack.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 6
                                      • API String ID: 0-498629140
                                      • Opcode ID: 713568aeddc86ded0d5c15798382254c57554c43d9cd6b9cc6fcfebf45ddca3f
                                      • Instruction ID: 237db1e354f8469df6b40e07b2b37ed32b5d3d3a324cd69b335ae44ecd493c2b
                                      • Opcode Fuzzy Hash: 713568aeddc86ded0d5c15798382254c57554c43d9cd6b9cc6fcfebf45ddca3f
                                      • Instruction Fuzzy Hash: 2B51F53171C5095BDB1CEE6CA8579B973D6E789310F10423DE89BC32A2FD28A91346C6
                                      Function 00007FFD9B937DC0 Relevance: .7, Instructions: 729COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2587065194.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b930000_Nova Mod Pack.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6fbbefb25205bf8519d05585a7aefd182cf635a88b8619d96004728659853b95
                                      • Instruction ID: 29a12a55410ee4dfe921f2a7d31c75a276b8450673afb04db880592771898497
                                      • Opcode Fuzzy Hash: 6fbbefb25205bf8519d05585a7aefd182cf635a88b8619d96004728659853b95
                                      • Instruction Fuzzy Hash: 4322A431B2D51A4FE76CE76888A57B973D3EB88304F5141B9D44EC72EBDE38AD428640
                                      Function 00007FFD9B93FF68 Relevance: .5, Instructions: 501COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2587065194.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b930000_Nova Mod Pack.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 643426cb40b86843a96121687324dc6cb207c7b56daed8e3cf70560ee6f34be4
                                      • Instruction ID: 5eea601023a4ece60a73115bcc3e311830299b5b2abe6e6ac4699d049cfbce27
                                      • Opcode Fuzzy Hash: 643426cb40b86843a96121687324dc6cb207c7b56daed8e3cf70560ee6f34be4
                                      • Instruction Fuzzy Hash: 2BF17B31B1D6894FD759DB78C8656B57FE2EF86310B0941FAD089CB2E7DD28A806C341
                                      Function 00007FFD9B93E802 Relevance: .5, Instructions: 462COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2587065194.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b930000_Nova Mod Pack.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f3ca3985411b49745a22a71ece8beac2ade26e7e9dc8354ba300ac3ee2e1a7b9
                                      • Instruction ID: fd221643499501b29da564e8da6d442608de79414326c390c073fc2441d745b9
                                      • Opcode Fuzzy Hash: f3ca3985411b49745a22a71ece8beac2ade26e7e9dc8354ba300ac3ee2e1a7b9
                                      • Instruction Fuzzy Hash: 71E1E630A19A4E8FEBA8DF28C8657E937E1FF54310F15426EE84DC7295DF34A9408B81
                                      Function 00007FFD9B93DA86 Relevance: .5, Instructions: 454COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2587065194.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b930000_Nova Mod Pack.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 703b02d9f124f63a9896944b784e9cb95246dc9af8d55f6fe6e3a9fede27b5fb
                                      • Instruction ID: 401dc9776046c35183f0dcf1d01895d5ab00026528dec7800a5f97802dd2cc3c
                                      • Opcode Fuzzy Hash: 703b02d9f124f63a9896944b784e9cb95246dc9af8d55f6fe6e3a9fede27b5fb
                                      • Instruction Fuzzy Hash: 2AE1A430A18A4D8FEBB8EF28C8657E937E1FF54310F04426EE85DC7695DB3899458B81
                                      Function 00007FFD9B945178 Relevance: .4, Instructions: 414COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2587065194.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b930000_Nova Mod Pack.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 87e9a09c7c0ac7e15e87ae43400151a705d93fdf578a7d5884a63c3e588ffb4c
                                      • Instruction ID: 5e4135f99aab8010c415c70a5aec3ffee12afed705f1cc13db5827316e2ded7e
                                      • Opcode Fuzzy Hash: 87e9a09c7c0ac7e15e87ae43400151a705d93fdf578a7d5884a63c3e588ffb4c
                                      • Instruction Fuzzy Hash: FDC18C31B1D6494FD358EB7CC8A56B937D2EB89314F15427AD44AC72E7DE68AC038381
                                      Function 00007FFD9B931F18 Relevance: .1, Instructions: 121COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2587065194.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b930000_Nova Mod Pack.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 720877e0b8db8b0ac146ee044bc919d6baee2c1ddc1c7b8943453abe6494c667
                                      • Instruction ID: fd81e38977085edf5ed2487f61cbb62f4eb1d564ae2a9424d5083e498c954713
                                      • Opcode Fuzzy Hash: 720877e0b8db8b0ac146ee044bc919d6baee2c1ddc1c7b8943453abe6494c667
                                      • Instruction Fuzzy Hash: EB31C16154E3C51FC71B9BB84C764A27FB8DF4322471A82EFD4C5CB1A3EA085816C352
                                      Function 00007FFD9B935808 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2587065194.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b930000_Nova Mod Pack.jbxd
                                      Similarity
                                      • API ID: HookWindows
                                      • String ID: @
                                      • API String ID: 2559412058-2766056989
                                      • Opcode ID: cb7362173a2dec776eacb52175fb183da9f7b1483d36458beee76de74ac5d817
                                      • Instruction ID: 9d25e3341afee2a8a64dbe6074484537a10f31b68b333bf5c23c2998031a21f0
                                      • Opcode Fuzzy Hash: cb7362173a2dec776eacb52175fb183da9f7b1483d36458beee76de74ac5d817
                                      • Instruction Fuzzy Hash: 41311830A1CA5C5FDB18EB6CD8556F97BE1FB59311F00427ED04ED3292CA64A816C7C1
                                      Function 00007FFD9B935892 Relevance: 1.7, APIs: 1, Instructions: 152COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 218 7ffd9b935892-7ffd9b935899 220 7ffd9b935820-7ffd9b935823 218->220 221 7ffd9b93589b-7ffd9b9358d3 218->221 222 7ffd9b935e10-7ffd9b935e6d 220->222 221->222 229 7ffd9b935e73-7ffd9b935e80 222->229 230 7ffd9b935ef9-7ffd9b935efd 222->230 232 7ffd9b935e82-7ffd9b935ebf SetWindowsHookExW 229->232 230->232 234 7ffd9b935ec1 232->234 235 7ffd9b935ec7-7ffd9b935ef8 232->235 234->235
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2587065194.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b930000_Nova Mod Pack.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 78ff8cabb6d5676a0f5e495fb46621eb63061c8029974eef6e6daf3094c3ba62
                                      • Instruction ID: 3d115b6043241dc2e7c427cbd5c8d498101f80e7e93b493382a70ac53c4a594b
                                      • Opcode Fuzzy Hash: 78ff8cabb6d5676a0f5e495fb46621eb63061c8029974eef6e6daf3094c3ba62
                                      • Instruction Fuzzy Hash: 22412831F1CA5D5FE728EBAC98156B97BE0FF69320F14417ED04AC3292DA25690287C1
                                      Function 00007FFD9B935123 Relevance: 1.6, APIs: 1, Instructions: 150COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 238 7ffd9b935123-7ffd9b93513d 239 7ffd9b93513f 238->239 240 7ffd9b935140-7ffd9b93514d 238->240 239->240 241 7ffd9b93514f 240->241 242 7ffd9b935150-7ffd9b935210 RtlSetProcessIsCritical 240->242 241->242 246 7ffd9b935212 242->246 247 7ffd9b935218-7ffd9b93524d 242->247 246->247
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2587065194.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b930000_Nova Mod Pack.jbxd
                                      Similarity
                                      • API ID: CriticalProcess
                                      • String ID:
                                      • API String ID: 2695349919-0
                                      • Opcode ID: 738d7a808d91b78d8bb3da69a81efa77340dcf8844dd5e69a44b583917aced40
                                      • Instruction ID: 65d6ca8ecd5b65500252d7b08643403af5c4afcfa43af9f7e5db91225c24ce69
                                      • Opcode Fuzzy Hash: 738d7a808d91b78d8bb3da69a81efa77340dcf8844dd5e69a44b583917aced40
                                      • Instruction Fuzzy Hash: D7417A3190D7988FCB29DBA8D8556E97FF0EF56310F04416FD08AC7592CA286986C791
                                      Function 00007FFD9B9304FA Relevance: 1.6, APIs: 1, Instructions: 138memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 249 7ffd9b9304fa-7ffd9b93108f VirtualProtect 255 7ffd9b931091 249->255 256 7ffd9b931097-7ffd9b9310bf 249->256 255->256
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2587065194.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b930000_Nova Mod Pack.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 461c3ec52c9908ba89366a86d3dfc6ed9f530da801a4fe41694c0a8fc3fdc405
                                      • Instruction ID: 47d2e0a67c088219b612c79a26d481b7b378bfb6613e652faa22f8cfec93255b
                                      • Opcode Fuzzy Hash: 461c3ec52c9908ba89366a86d3dfc6ed9f530da801a4fe41694c0a8fc3fdc405
                                      • Instruction Fuzzy Hash: 56412931B0CA5C4FDB18EBA9A8097F97BE1EF96321F04427FD049C3192DF6564468791
                                      Function 00007FFD9B935DE8 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 257 7ffd9b935de8-7ffd9b935def 258 7ffd9b935df1-7ffd9b935df9 257->258 259 7ffd9b935dfa-7ffd9b935e6d 257->259 258->259 263 7ffd9b935e73-7ffd9b935e80 259->263 264 7ffd9b935ef9-7ffd9b935efd 259->264 265 7ffd9b935e82-7ffd9b935ebf SetWindowsHookExW 263->265 264->265 267 7ffd9b935ec1 265->267 268 7ffd9b935ec7-7ffd9b935ef8 265->268 267->268
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2587065194.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b930000_Nova Mod Pack.jbxd
                                      Similarity
                                      • API ID: HookWindows
                                      • String ID:
                                      • API String ID: 2559412058-0
                                      • Opcode ID: 788072397ed2bf4f54e87c51a397dcdd9f246b2993388409c1b87fe5fa87623a
                                      • Instruction ID: df0b5c6dd4610c73a50b08fd59b4cfec00377d76523ce59fac728eda44a0ce42
                                      • Opcode Fuzzy Hash: 788072397ed2bf4f54e87c51a397dcdd9f246b2993388409c1b87fe5fa87623a
                                      • Instruction Fuzzy Hash: F4312A30A1CA5C5FDB18EB6C981A6F97BE1FF59321F04427ED05AC3292CE64A812C7C1
                                      Function 00007FFD9B930FC4 Relevance: 1.6, APIs: 1, Instructions: 126memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 277 7ffd9b930fc4-7ffd9b930fcb 278 7ffd9b930fcd-7ffd9b930fd5 277->278 279 7ffd9b930fd6-7ffd9b93108f VirtualProtect 277->279 278->279 283 7ffd9b931091 279->283 284 7ffd9b931097-7ffd9b9310bf 279->284 283->284
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2587065194.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b930000_Nova Mod Pack.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 1c1112443fe768fce67c88b2f873f348e2577e060db99bbe4c641413a2f83c9e
                                      • Instruction ID: 38799540ce295c6f20acec7277adf402ee1f89c6eeab55974bedb50253adb0f1
                                      • Opcode Fuzzy Hash: 1c1112443fe768fce67c88b2f873f348e2577e060db99bbe4c641413a2f83c9e
                                      • Instruction Fuzzy Hash: AD312830A0CB4C4FDB18DB98D846AF9BBE1EB56321F04426FD049C3192CF75A856CB91
                                      Function 00007FFD9B930ECC Relevance: 1.6, APIs: 1, Instructions: 126memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 271 7ffd9b930ecc-7ffd9b930f8f VirtualProtect 275 7ffd9b930f91 271->275 276 7ffd9b930f97-7ffd9b930fbf 271->276 275->276
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2587065194.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b930000_Nova Mod Pack.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 191ebdaf702b0ad6cb6393839665ffc9fafa910fd8bc0998eaa4d614b03fcbd4
                                      • Instruction ID: 1e501fe2cd50316db3420850729029bb1621fc066683d42357b6868eee487c95
                                      • Opcode Fuzzy Hash: 191ebdaf702b0ad6cb6393839665ffc9fafa910fd8bc0998eaa4d614b03fcbd4
                                      • Instruction Fuzzy Hash: C431E431A0CB5C8FDB18DB99D845AF97BF1EF65721F04426FD049C3292CB60A846CB81
                                      Function 00007FFD9B930520 Relevance: 1.6, APIs: 1, Instructions: 119memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 285 7ffd9b930520-7ffd9b93108f VirtualProtect 290 7ffd9b931091 285->290 291 7ffd9b931097-7ffd9b9310bf 285->291 290->291
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2587065194.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b930000_Nova Mod Pack.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 9295564b576d175b74647cfbf54285050d24fb357144f95389098d586d64c03f
                                      • Instruction ID: 01a41bf76c31a301471c8250d1c80a0efe07b7ed884289f7e94fa6eb28130336
                                      • Opcode Fuzzy Hash: 9295564b576d175b74647cfbf54285050d24fb357144f95389098d586d64c03f
                                      • Instruction Fuzzy Hash: 9B312631A0CA4C4FDB18DB9898457F9BBE1EB95311F04427FD04AD3192CF71A8468B81

                                      Non-executed Functions

                                      Function 00007FFD9B937624 Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2587065194.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b930000_Nova Mod Pack.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 0e$
                                      • API String ID: 0-3005398716
                                      • Opcode ID: e4d07765d90dd173484c5595adb8d0974352d5a2a45fae2e4a7472a4e151c5b3
                                      • Instruction ID: b198a21ab74068aeb720529f15adef11bbec956cff9975f11d83603acd0d0f71
                                      • Opcode Fuzzy Hash: e4d07765d90dd173484c5595adb8d0974352d5a2a45fae2e4a7472a4e151c5b3
                                      • Instruction Fuzzy Hash: 8C512872B1D60D5FD72CDA6CDC569FA77D6E785320F10423EE44AC32A6EA34A81282C1
                                      Function 00007FFD9B9336E8 Relevance: .3, Instructions: 282COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2587065194.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b930000_Nova Mod Pack.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c907e4152f99353b5dc8d9b00f6bec9d6425da06f354b75f8018b07b544b503a
                                      • Instruction ID: f2f2b80ed7eac7ffee4a4b45ec5c2ae10890a2eb3674ad013f66ee02d7253d06
                                      • Opcode Fuzzy Hash: c907e4152f99353b5dc8d9b00f6bec9d6425da06f354b75f8018b07b544b503a
                                      • Instruction Fuzzy Hash: 15A1ACA194F3C65FE7178B749C701A1BFB0AF53210B0B81EBC0C58B0B3D618690AC3A2

                                      Executed Functions

                                      Function 00007FFD9BA16605 Relevance: .4, Instructions: 433COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1810559904.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9ba10000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: abd21fdf8cc04c4454eb729c940baf5f9fd84feaf5b81eac644d2770097095a4
                                      • Instruction ID: b393f5451a89d8cf42b5098ffd2e537501e4ed49e435a7de41677c45bad90af9
                                      • Opcode Fuzzy Hash: abd21fdf8cc04c4454eb729c940baf5f9fd84feaf5b81eac644d2770097095a4
                                      • Instruction Fuzzy Hash: 1FD14632B0EA8D4FEBA5ABAC48655B97BE1EF16310B0900FED45DC70E3DA58A905C341
                                      Function 00007FFD9B949EF3 Relevance: .2, Instructions: 239COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1810191114.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b940000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: aa1f03e4be9444455b08f8897f5d1576a2b8784ca96b908db3e3ad9153281508
                                      • Instruction ID: 81611ea74bffe5f5040fe4f71c7ef23b8575bb25768abcf28140eecb6cdfe410
                                      • Opcode Fuzzy Hash: aa1f03e4be9444455b08f8897f5d1576a2b8784ca96b908db3e3ad9153281508
                                      • Instruction Fuzzy Hash: 3A714A73B0A5AD5FE716A7AC98F64E43B60EF5232CB0D02F3C5958F1A3FC151A1A4281
                                      Function 00007FFD9B949738 Relevance: .1, Instructions: 143COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1810191114.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b940000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5d630b0e61e7004a1adaaaff0f823d6895db5a5e9d6044861b052efd6302ae86
                                      • Instruction ID: 61ea91b84a5f8ff436e96f65c87833230bb9cd2b6a4dd91403bdda9e2f11745d
                                      • Opcode Fuzzy Hash: 5d630b0e61e7004a1adaaaff0f823d6895db5a5e9d6044861b052efd6302ae86
                                      • Instruction Fuzzy Hash: FF412872A1DA8C9FDB589F5C980A6A87BE1FB94310F00412FE049C32A2DA20B945C7C2
                                      Function 00007FFD9B82E380 Relevance: .1, Instructions: 122COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1809806610.00007FFD9B82D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B82D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b82d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d239557d79ac87360000e707765ca2e686ba538fe312e5c51e2ad0bbaea28167
                                      • Instruction ID: 2d714ec0bebeb32520550670fd24591033d17c5eb07ea51635106a5f2dcc5cec
                                      • Opcode Fuzzy Hash: d239557d79ac87360000e707765ca2e686ba538fe312e5c51e2ad0bbaea28167
                                      • Instruction Fuzzy Hash: 4C41597140EBC44FE7668B3898559623FF0EF56361B1602EFD088CB5A3D625B806C792
                                      Function 00007FFD9B94A49C Relevance: .1, Instructions: 87COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1810191114.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b940000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dce8b174d5ebc77a5dd0e10d3687a34866d98669d943d616588087349d42ccac
                                      • Instruction ID: 077e2ee9f19b5c0b27fb3eb645ff2c75e92055771c9abf79ad961192cbf208d2
                                      • Opcode Fuzzy Hash: dce8b174d5ebc77a5dd0e10d3687a34866d98669d943d616588087349d42ccac
                                      • Instruction Fuzzy Hash: BD21C631A0CA0C8FDB58DF9CD88A7F97BE0EBA9321F04412FD449C3155D670A45ACB91
                                      Function 00007FFD9B9433B5 Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1810191114.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b940000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                      • Instruction ID: aaae9833596de069071959acf95a8ad63017a9a089beb24f7d99fad32c89d73e
                                      • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                      • Instruction Fuzzy Hash: DD01677121CB0C4FD748EF0CE451AA5B7E0FB95364F50056DE58AC36A5DA36E882CB45
                                      Function 00007FFD9BA1414D Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1810559904.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9ba10000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 41b273e861114af2f488ba7f6b778a8b4af79ebcb1090dff6c0b5f0ab4516b01
                                      • Instruction ID: 0ea01c14ae3ce19c8f377655d4f2d09a6295c327a398af5c82bab686cb590033
                                      • Opcode Fuzzy Hash: 41b273e861114af2f488ba7f6b778a8b4af79ebcb1090dff6c0b5f0ab4516b01
                                      • Instruction Fuzzy Hash: 89F03A32B4E55A8FD7A9EB5CE4518A8B3E0EF5632071600BBE16DC75B7CA25EC418B40
                                      Function 00007FFD9BA14400 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1810559904.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9ba10000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f150ff20b9b7f8a9d10c637e84c64ee0223156d0f52dfad4aed1872166e0d315
                                      • Instruction ID: dd68ea9796ae63f9254f6b3a130ab60b5d0c6b315726b20ba5766132f00918ef
                                      • Opcode Fuzzy Hash: f150ff20b9b7f8a9d10c637e84c64ee0223156d0f52dfad4aed1872166e0d315
                                      • Instruction Fuzzy Hash: 6FF0BE32A0E5498FD7A4EB5CE4608A877E0FF0532071200BAE059C70B3CA25AC40CB40
                                      Function 00007FFD9BA141D1 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1810559904.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9ba10000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                      • Instruction ID: d7238435132e971c75ee3b162a05e41f32e6679753c4e0f153927ee519f0f553
                                      • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                      • Instruction Fuzzy Hash: 2CE01A31B0C8198FDAB8DB4CE0519E9B3E1EB9932171211BBD14EC7571CA22ED518B80

                                      Non-executed Functions

                                      Function 00007FFD9B948BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1810191114.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b940000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: K_^4$K_^7$K_^F$K_^J
                                      • API String ID: 0-377281160
                                      • Opcode ID: 4bcb7626cc64b94c55d6df8f3314fc61f7497ef9aa3022dd500b8fbce610da28
                                      • Instruction ID: b515aea1ca77e73cdb519bb83341514541d9e2e039b9fbdd731f0e51de40786c
                                      • Opcode Fuzzy Hash: 4bcb7626cc64b94c55d6df8f3314fc61f7497ef9aa3022dd500b8fbce610da28
                                      • Instruction Fuzzy Hash: A72138B7708536AED7457B7CB854DD93BA0CF9827434982F3D0AACB093E915708B8AC0

                                      Executed Functions

                                      Function 00007FFD9B93644D Relevance: .7, Instructions: 705COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1910775322.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffd9b930000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 100a812c1da1dd6ab212cd8f3399e01ecd92a9b55a962bb31a97f0c29644e125
                                      • Instruction ID: 636e45a962c522a84e2477486109df2af1b4c081c0bca64e26c1611e02e16038
                                      • Opcode Fuzzy Hash: 100a812c1da1dd6ab212cd8f3399e01ecd92a9b55a962bb31a97f0c29644e125
                                      • Instruction Fuzzy Hash: 81D17131A1CA4D8FDF99DF58C465AA9BBF1FF68300F15416AD40DD72A6CA34E881CB81
                                      Function 00007FFD9BA06605 Relevance: .4, Instructions: 433COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1911424015.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffd9ba00000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3d7766a77e4b5ce0df56f48fa13d3645b78bee820187405819586c94cf6cfbd4
                                      • Instruction ID: c17beb793c6d67100ed96a6fd35ec70d7a614ae5fd8d9dff7842717930743088
                                      • Opcode Fuzzy Hash: 3d7766a77e4b5ce0df56f48fa13d3645b78bee820187405819586c94cf6cfbd4
                                      • Instruction Fuzzy Hash: 4AD14631B0EA8E4FEBA5ABAC48655B57BE0EF56314F0901FED48DC70E3DA58A905C341
                                      Function 00007FFD9B81EFE0 Relevance: .1, Instructions: 121COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1910040967.00007FFD9B81D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B81D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffd9b81d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f114eb070e352110144b9fdbee62a56ca472408fe026a4b2d63771065d13545e
                                      • Instruction ID: 85d4193fc7af2e734ecbc0ed6a046140cd38c6e2c846152b3963cfa342cd6a83
                                      • Opcode Fuzzy Hash: f114eb070e352110144b9fdbee62a56ca472408fe026a4b2d63771065d13545e
                                      • Instruction Fuzzy Hash: 6D41177150EBC44FE7569B389855A623FF0EF56320F1901EFD088CB1A7D729A846C7A2
                                      Function 00007FFD9B9397A9 Relevance: .1, Instructions: 113COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1910775322.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffd9b930000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b5a6a31c06d7b603686c2bfa5d8ada8069bedf4670f751605abdad73cb1489ce
                                      • Instruction ID: a3574fcfa5a6f00c5497bd898c286d78766d31f7298480cb863a2d9003798a47
                                      • Opcode Fuzzy Hash: b5a6a31c06d7b603686c2bfa5d8ada8069bedf4670f751605abdad73cb1489ce
                                      • Instruction Fuzzy Hash: 5631953191CB4C9FDB5CDB5CA84A6A97BE0FB98711F00422FE449D3251CA71A856CBC2
                                      Function 00007FFD9B93A57C Relevance: .1, Instructions: 87COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1910775322.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffd9b930000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dd5b8329412bb4b8e5dfb81f3853cdee8fd2d06826ad53a2f03f59d820c46ecb
                                      • Instruction ID: 47de85fe321c511254b6e2a9cac4016b03e67033bc5dcb866774faa18af17fa5
                                      • Opcode Fuzzy Hash: dd5b8329412bb4b8e5dfb81f3853cdee8fd2d06826ad53a2f03f59d820c46ecb
                                      • Instruction Fuzzy Hash: C421F331A0CA0C8FDB58DF9CD84A7E97BE0EBA9321F00812FD04DC3152D671A85ACB81
                                      Function 00007FFD9B9333B5 Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1910775322.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffd9b930000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                      • Instruction ID: e4a0fede03419c1b2225b33ba5aee43584c5f73d865b53905b152308fc4fda9b
                                      • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                      • Instruction Fuzzy Hash: 3401A73021CB0C4FD748EF0CE051AA5B3E0FB85320F10056DE58AC36A5DA32E882CB41
                                      Function 00007FFD9BA0414D Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1911424015.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffd9ba00000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c59ee8ddc86ba109506518ed96ca5e96181d7228beda94f9891efacb6fe74f90
                                      • Instruction ID: 2752b26119583ef209bacd9986f5c55a43ba932f435c35fc5c30ed8b2fff241d
                                      • Opcode Fuzzy Hash: c59ee8ddc86ba109506518ed96ca5e96181d7228beda94f9891efacb6fe74f90
                                      • Instruction Fuzzy Hash: 4BF03A32A4E5498FD769EB5CE4518A873E0FF55320B1600BAE0ADC75B7CA25EC418740
                                      Function 00007FFD9BA04400 Relevance: .0, Instructions: 34COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1911424015.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffd9ba00000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1f9c64e6560dd8238154ce8475c8ca9f4328dc5e69730de514aa0fa7df02be8e
                                      • Instruction ID: d8e73d6d3d3c4324c28ef1f77d89559d39629304d586aa77003cb4b449aa4794
                                      • Opcode Fuzzy Hash: 1f9c64e6560dd8238154ce8475c8ca9f4328dc5e69730de514aa0fa7df02be8e
                                      • Instruction Fuzzy Hash: 22F05E31A4E5498FD764EB58E4618A877F0FF45320B5600FAE099C75B7DA66AC40C750
                                      Function 00007FFD9BA041D1 Relevance: .0, Instructions: 28COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1911424015.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffd9ba00000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 473268a2b64a69fa31480ace0e176981786fc005b847518550129db03776ef45
                                      • Instruction ID: f11c75debf00fdf78048993e95826695e3a108ec5846f8de78c6446fd168cf99
                                      • Opcode Fuzzy Hash: 473268a2b64a69fa31480ace0e176981786fc005b847518550129db03776ef45
                                      • Instruction Fuzzy Hash: 07E01A31B0C8089FDA78DB4CE0519B973E1FB99320B5201ABD18EC7571CA22ED518B80

                                      Non-executed Functions

                                      Function 00007FFD9B938BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1910775322.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffd9b930000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: L_^8$L_^<$L_^?$L_^J$L_^K$L_^N$L_^Q$L_^Y
                                      • API String ID: 0-1415242001
                                      • Opcode ID: 43fc97dd348e09cb18fe9713d6d3d241ea91d68ddf1fc4c99a3e80af88e2cd8f
                                      • Instruction ID: 6666f728dc245b4959f16f7906c7d745e3204e6b6a9dd08ba7cd2eeb44a9a108
                                      • Opcode Fuzzy Hash: 43fc97dd348e09cb18fe9713d6d3d241ea91d68ddf1fc4c99a3e80af88e2cd8f
                                      • Instruction Fuzzy Hash: 822107737045258AC30536ADB8519ED7780DF5437834991F3E229CF153DF25A48F8A80

                                      Executed Functions

                                      Function 00007FFD9B93644D Relevance: .7, Instructions: 661COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2070527633.00007FFD9B935000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B935000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ffd9b935000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4b2f08b3c59b7de5f1c58c24345c4f3ef0840ca83dee48cce8ab304fabde0351
                                      • Instruction ID: 32eb499f1308c5182ada025b4f382d5f518b9d4105829758cd95eae16c8b5964
                                      • Opcode Fuzzy Hash: 4b2f08b3c59b7de5f1c58c24345c4f3ef0840ca83dee48cce8ab304fabde0351
                                      • Instruction Fuzzy Hash: 7EC17231A1DA4D8FDF99DF58C465AA9BBF1FF68300F15416AD409D72A6CA34E841CB80
                                      Function 00007FFD9BA06605 Relevance: .5, Instructions: 461COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2071440987.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ffd9ba00000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2b416f44fcd2e9904cc2ae9eadf7372bd77424da59c2f529ed28e232fcbd301e
                                      • Instruction ID: 6b792985d788dec6545b06ccb2e0173c17d593df7adabf68384b06462159fd9e
                                      • Opcode Fuzzy Hash: 2b416f44fcd2e9904cc2ae9eadf7372bd77424da59c2f529ed28e232fcbd301e
                                      • Instruction Fuzzy Hash: B0D14631B0EA8E4FEB65ABAC88655B57BD1EF16314F0901FED48DC70E3D968A905C341
                                      Function 00007FFD9B939758 Relevance: .1, Instructions: 130COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2070527633.00007FFD9B935000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B935000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ffd9b935000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 148922f8cfad7268aefb3d3edab7003f0c24580bdd087014aa458290d6eff269
                                      • Instruction ID: 1c5ffbb1cf27bcc965ab578b5f8f9847207418e3a42fc653733c395ed10083ea
                                      • Opcode Fuzzy Hash: 148922f8cfad7268aefb3d3edab7003f0c24580bdd087014aa458290d6eff269
                                      • Instruction Fuzzy Hash: 4D311A31A1CB4C5FDB189F5C984A6E97BE0FBA9310F04412FE449C3292DB70A915CBC2
                                      Function 00007FFD9B81EE20 Relevance: .1, Instructions: 123COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2069487332.00007FFD9B81D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B81D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ffd9b81d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 35e9ca9dbbf7e16f2b76055bb481f91c4af9c915e8da837be957f2fca5879fb6
                                      • Instruction ID: 4018fc791f5d3e88c699d4d10ae5b092d4b32a7c8e5b897026c50f60cbb064fe
                                      • Opcode Fuzzy Hash: 35e9ca9dbbf7e16f2b76055bb481f91c4af9c915e8da837be957f2fca5879fb6
                                      • Instruction Fuzzy Hash: 9141167140EBC84FE7568B399855A523FF0EF57320F1605EFD088CB5A3D625A846C7A2
                                      Function 00007FFD9B93B1E5 Relevance: .1, Instructions: 118COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2070527633.00007FFD9B935000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B935000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ffd9b935000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 853a194339a24d472eaeffd3f849140144439c9ba75fa7def0eb0f6e0cc42705
                                      • Instruction ID: 22ba408cf563323ec861e260ac77b74fdf92e17a9028284283dabae9ca8b681c
                                      • Opcode Fuzzy Hash: 853a194339a24d472eaeffd3f849140144439c9ba75fa7def0eb0f6e0cc42705
                                      • Instruction Fuzzy Hash: EE31863090D78C8FDB15DBA88C557FA3FE4DBA3320F04816FE089C7162D664991AC792
                                      Function 00007FFD9B9333B5 Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2070527633.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ffd9b930000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                      • Instruction ID: e4a0fede03419c1b2225b33ba5aee43584c5f73d865b53905b152308fc4fda9b
                                      • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                      • Instruction Fuzzy Hash: 3401A73021CB0C4FD748EF0CE051AA5B3E0FB85320F10056DE58AC36A5DA32E882CB41
                                      Function 00007FFD9BA0414D Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2071440987.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ffd9ba00000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 328882c5b07151cdb9ab568c3daf6f25fe8074881b5438e9ee582273a9cf3eb8
                                      • Instruction ID: 59cc94ec7d34743561c7be374d23d393ee4e31fdd1c2209c23455e7d7bb27fd2
                                      • Opcode Fuzzy Hash: 328882c5b07151cdb9ab568c3daf6f25fe8074881b5438e9ee582273a9cf3eb8
                                      • Instruction Fuzzy Hash: 8FF03A32A4E6498FD769EB5CE4518A8B3E0FF55320B1600BAE0ADC75B7CA25EC418744
                                      Function 00007FFD9BA04400 Relevance: .0, Instructions: 34COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2071440987.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ffd9ba00000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8527efeb1cd5c6349e3353c3e59c77835a7be1b0ed30fb8166e999a37979281d
                                      • Instruction ID: f9e98305a68d355865a3684eabb701b8e7c0ba28d078603f75dc1b8bcc2b4c43
                                      • Opcode Fuzzy Hash: 8527efeb1cd5c6349e3353c3e59c77835a7be1b0ed30fb8166e999a37979281d
                                      • Instruction Fuzzy Hash: 6FF05E32A4E5498FD764EB5CE4618A877F0FF45320B5600FAE09DC75B7DA66AC40C750
                                      Function 00007FFD9BA041D1 Relevance: .0, Instructions: 28COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2071440987.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ffd9ba00000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 473268a2b64a69fa31480ace0e176981786fc005b847518550129db03776ef45
                                      • Instruction ID: f11c75debf00fdf78048993e95826695e3a108ec5846f8de78c6446fd168cf99
                                      • Opcode Fuzzy Hash: 473268a2b64a69fa31480ace0e176981786fc005b847518550129db03776ef45
                                      • Instruction Fuzzy Hash: 07E01A31B0C8089FDA78DB4CE0519B973E1FB99320B5201ABD18EC7571CA22ED518B80
                                      Function 00007FFD9B93A2AA Relevance: .0, Instructions: 26COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2070527633.00007FFD9B935000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B935000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ffd9b935000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d397956539861914c1d987bddaf4981c7da9de91c74c691579a1b0b252965817
                                      • Instruction ID: f0baf5d9f62317a6054dfe57cad5cc4dfbd93061dda9e09246d9fc1a35dbc327
                                      • Opcode Fuzzy Hash: d397956539861914c1d987bddaf4981c7da9de91c74c691579a1b0b252965817
                                      • Instruction Fuzzy Hash: EEE04F35915A4C8FDF54EF18C8598E97BE0FF68701B01429BE81DC7120DB719A58CBC2

                                      Non-executed Functions

                                      Function 00007FFD9B938BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2070527633.00007FFD9B935000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B935000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ffd9b935000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: L_^4$L_^7$L_^F$L_^J
                                      • API String ID: 0-3225005683
                                      • Opcode ID: c434990ae4357702e856ca0a540c798ab97805ed6931bb80417326eb2dd8eeba
                                      • Instruction ID: 19e4f66a24657e2a85e95ad6ab0ade56ffe19fcd4b3674a0ef0364266f0a26d5
                                      • Opcode Fuzzy Hash: c434990ae4357702e856ca0a540c798ab97805ed6931bb80417326eb2dd8eeba
                                      • Instruction Fuzzy Hash: 9521F6B77085359ED3457BBDB815DED3740CF9427434992F2D2AA8B093EA15708A8AD0

                                      Executed Functions

                                      Function 00007FFD9B9F6605 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2283431858.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b9f0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X7xe
                                      • API String ID: 0-3571936621
                                      • Opcode ID: 88ac74ea88e81fdd4968c0c1d96962ae55243677a10d2e3a335b5fa4b59d0c9d
                                      • Instruction ID: 12884940db55a4999e96fb7e250fb72d3b2f56fcef03a9f70c5132bc3e24a2ff
                                      • Opcode Fuzzy Hash: 88ac74ea88e81fdd4968c0c1d96962ae55243677a10d2e3a335b5fa4b59d0c9d
                                      • Instruction Fuzzy Hash: 09D13531B1EB8E6FEB65ABA848655B57FD1EF16320B0901BED44DC70E3D918AD04C341
                                      Function 00007FFD9B80ED40 Relevance: .1, Instructions: 122COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2280680514.00007FFD9B80D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B80D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b80d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3273be0812a8aac7350d847b9aeabf222d07b1450c358fece361789c9f2bdddb
                                      • Instruction ID: 04192c801359d2381b73a52832c3771e746aa10a4139fcf1b7144a2e08b76a58
                                      • Opcode Fuzzy Hash: 3273be0812a8aac7350d847b9aeabf222d07b1450c358fece361789c9f2bdddb
                                      • Instruction Fuzzy Hash: 7941393180EBC44FE7669B2C98519923FF0EF57360B1A05DFD4C8CB5A3D629A846C792
                                      Function 00007FFD9B929750 Relevance: .1, Instructions: 117COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2282013501.00007FFD9B920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b920000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: be03d9ce2f938f3af1b81b974210c644d0dc5b9d8347a059cddcebcb318c21e6
                                      • Instruction ID: 340e70eebbbdf538d49b5dcec1371416ac15115a07fcf448fb94df7719430768
                                      • Opcode Fuzzy Hash: be03d9ce2f938f3af1b81b974210c644d0dc5b9d8347a059cddcebcb318c21e6
                                      • Instruction Fuzzy Hash: 7C310971A1DB884FDB199F5C980A6A8BBE0FB55310F0441BFD49983292CA24A945CBC2
                                      Function 00007FFD9B92A73C Relevance: .1, Instructions: 117COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2282013501.00007FFD9B920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b920000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f9c8c4a5b779b23cb4f862a6911894c30c782ddd2e20adb909a374eb8644afdb
                                      • Instruction ID: a3ff92aafcd7320902c4aee613a8ad12e682cc20f5180d0e752640574e2727c6
                                      • Opcode Fuzzy Hash: f9c8c4a5b779b23cb4f862a6911894c30c782ddd2e20adb909a374eb8644afdb
                                      • Instruction Fuzzy Hash: A231F631D0DB8C4FDB69DBA888596E97FF0EF66320F0441AFD049C7163DA68580AC792
                                      Function 00007FFD9B9297AC Relevance: .1, Instructions: 111COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2282013501.00007FFD9B920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b920000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5c2a6680d8321c5fd020a7ebe1c35e8e5b6ea930756c48065a7c9b958a5e9cc9
                                      • Instruction ID: ce8f71a69e24693e2bdf3af8374964b0cd29884ad5d6a3bfc8136cb2e106b5c3
                                      • Opcode Fuzzy Hash: 5c2a6680d8321c5fd020a7ebe1c35e8e5b6ea930756c48065a7c9b958a5e9cc9
                                      • Instruction Fuzzy Hash: BE319331A1CB4C9FDB18DB4CA84A6A97BE0FB98721F00422FE449D3251CA71A855CBC2
                                      Function 00007FFD9B9233B5 Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2282013501.00007FFD9B920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b920000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                      • Instruction ID: 3e79ada1ebe076d58ee0d3e3bed93f60cfe6149c052d0fa132e70b9b6ca29c9c
                                      • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                      • Instruction Fuzzy Hash: AA01A73021CB0C4FD748EF0CE051AA5B3E0FB85320F10056DE58AC36A5DA32E882CB41
                                      Function 00007FFD9B92A0FB Relevance: .0, Instructions: 40COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2282013501.00007FFD9B920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b920000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1c3410f366d1076ce567bd151b4b68e5e477f83af8afeb0c794b6189d3b93b3f
                                      • Instruction ID: 329f3894c4c78c3d49cec7f96675e3e4a6a7706c87333559c1c5d5f1d6fba0a5
                                      • Opcode Fuzzy Hash: 1c3410f366d1076ce567bd151b4b68e5e477f83af8afeb0c794b6189d3b93b3f
                                      • Instruction Fuzzy Hash: EAF02B77A1AA8C4FDB91DF2CD8690E47FA0FF76211B0602EBE448C7172EA215908C781
                                      Function 00007FFD9B9F414D Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2283431858.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b9f0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 42d346f24740094a5655a3343c130a9b26e27c7ebb045523b3358f83a5da834f
                                      • Instruction ID: 5877fd20135db3200c173144b8d3e85af160fcd4354e4ee21f81695acccd6494
                                      • Opcode Fuzzy Hash: 42d346f24740094a5655a3343c130a9b26e27c7ebb045523b3358f83a5da834f
                                      • Instruction Fuzzy Hash: ACF0BE32B0E6098FD768EA5CE4519A877E0EF6433071200BAE06DC72B7CA25EC40C781
                                      Function 00007FFD9B9F4400 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2283431858.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b9f0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f3ee58a9061668da38514abe174fce2c8e0c68667f9e245e3b871c81a25a9a16
                                      • Instruction ID: c0e109e009a3777dc571d95369573f56cbb236cc9d6b20a11ea0ab38af93c54d
                                      • Opcode Fuzzy Hash: f3ee58a9061668da38514abe174fce2c8e0c68667f9e245e3b871c81a25a9a16
                                      • Instruction Fuzzy Hash: 00F0BE32B0E5498FD764EA5CE4609A8B7E0FF0432070200BAE05DC71A3CA26AC40C740
                                      Function 00007FFD9B9F41D1 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2283431858.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b9f0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                      • Instruction ID: f17439248f1528e3505b56be7bd4aad164e56791cc5155dc121e874b81fceef3
                                      • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                      • Instruction Fuzzy Hash: 84E01A31B1C8089FDA78DA4DE051AA977E1EBA833171241BBD14EC7671CA22ED518B80

                                      Non-executed Functions

                                      Function 00007FFD9B928BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2282013501.00007FFD9B920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b920000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                      • API String ID: 0-962139525
                                      • Opcode ID: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
                                      • Instruction ID: ec054bd8ceb0d64cdf291b372f499b579473aa2a9bdd2c6010fa22b6a39c03e5
                                      • Opcode Fuzzy Hash: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
                                      • Instruction Fuzzy Hash: 4121C273B14525CAD34636ACB851DD87780DF5437938A43F3E02ACF193E919A48B8A81

                                      Execution Graph

                                      Execution Coverage:12.4%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:12
                                      Total number of Limit Nodes:0
                                      execution_graph 1987 7ffd9b9108b9 1988 7ffd9b9108cf 1987->1988 1988->1988 1990 7ffd9b910d2b 1988->1990 1991 7ffd9b910520 1988->1991 1992 7ffd9b910529 VirtualProtect 1991->1992 1994 7ffd9b911091 1992->1994 1994->1990 1995 7ffd9b9104fa 1996 7ffd9b910515 VirtualProtect 1995->1996 1998 7ffd9b911091 1996->1998 1983 7ffd9b910ecc 1984 7ffd9b910eef VirtualProtect 1983->1984 1986 7ffd9b910f91 1984->1986

                                      Executed Functions

                                      Function 00007FFD9B9104FA Relevance: 1.6, APIs: 1, Instructions: 138memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 165 7ffd9b9104fa-7ffd9b91108f VirtualProtect 171 7ffd9b911091 165->171 172 7ffd9b911097-7ffd9b9110bf 165->172 171->172
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2364486394.00007FFD9B910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B910000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b910000_System32.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 3860c9b8b7052648c7ea24add97769296c8b9b4755d7b1b9d9c66c781b2e54ad
                                      • Instruction ID: d798c9fc0c2a9496e8b4567adbf0eef6ab56d6b18f139fcebf9e270df6475d90
                                      • Opcode Fuzzy Hash: 3860c9b8b7052648c7ea24add97769296c8b9b4755d7b1b9d9c66c781b2e54ad
                                      • Instruction Fuzzy Hash: 2F414731B0CA584FDB18EBA9A8097F87BE0EF95321F04427FD049C7292DB6568468791
                                      Function 00007FFD9B910FC4 Relevance: 1.6, APIs: 1, Instructions: 126memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 179 7ffd9b910fc4-7ffd9b910fcb 180 7ffd9b910fcd-7ffd9b910fd5 179->180 181 7ffd9b910fd6-7ffd9b91108f VirtualProtect 179->181 180->181 185 7ffd9b911091 181->185 186 7ffd9b911097-7ffd9b9110bf 181->186 185->186
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2364486394.00007FFD9B910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B910000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b910000_System32.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: eeedf9540e24218b59af81669bae7f040804f1d3fa8a94bddcfb0c4b9c9f5d5f
                                      • Instruction ID: b9dc7bf5aedaa916abc3dc41168812631eeb258dbffbda7b3e11a80164b90e31
                                      • Opcode Fuzzy Hash: eeedf9540e24218b59af81669bae7f040804f1d3fa8a94bddcfb0c4b9c9f5d5f
                                      • Instruction Fuzzy Hash: D1312830A0CB4C4FDB18DB98D846AF9BBE1EB59321F04426FD049C3292CB75A856CB91
                                      Function 00007FFD9B910ECC Relevance: 1.6, APIs: 1, Instructions: 126memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 173 7ffd9b910ecc-7ffd9b910f8f VirtualProtect 177 7ffd9b910f91 173->177 178 7ffd9b910f97-7ffd9b910fbf 173->178 177->178
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2364486394.00007FFD9B910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B910000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b910000_System32.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: f78370be56ec829acae6e4a53f6649e69e359cc0bb0f9931d85a23b8814f2bd9
                                      • Instruction ID: dd9bec10f8fb965a7ff170961b5486e792d4b168e7f3007e6104d369816402bf
                                      • Opcode Fuzzy Hash: f78370be56ec829acae6e4a53f6649e69e359cc0bb0f9931d85a23b8814f2bd9
                                      • Instruction Fuzzy Hash: 5231E431A0CB5C8FDB18DB99D845AF9BBE1EB55721F04426FE049C3292CB64A846CB81
                                      Function 00007FFD9B910520 Relevance: 1.6, APIs: 1, Instructions: 119memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 187 7ffd9b910520-7ffd9b91108f VirtualProtect 192 7ffd9b911091 187->192 193 7ffd9b911097-7ffd9b9110bf 187->193 192->193
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2364486394.00007FFD9B910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B910000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b910000_System32.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 8d48ddb84a8865b50134f5be5dab845cfb066a24fc626c0c4cff406aa1e2baa6
                                      • Instruction ID: 7ab9732df28671919513e5ab22d899dc3bac14a25d52290df64141f3831bae14
                                      • Opcode Fuzzy Hash: 8d48ddb84a8865b50134f5be5dab845cfb066a24fc626c0c4cff406aa1e2baa6
                                      • Instruction Fuzzy Hash: CC312631A0CA4C8FDB18DB9898456F9BBE1EB59311F04427FD049D3292CB71A8468781

                                      Execution Graph

                                      Execution Coverage:12.4%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:12
                                      Total number of Limit Nodes:0
                                      execution_graph 1988 7ffd9b9108b9 1989 7ffd9b9108cf 1988->1989 1991 7ffd9b910d2b 1989->1991 1992 7ffd9b910520 1989->1992 1993 7ffd9b910529 VirtualProtect 1992->1993 1995 7ffd9b911091 1993->1995 1995->1991 1996 7ffd9b9104fa 1997 7ffd9b910515 VirtualProtect 1996->1997 1999 7ffd9b911091 1997->1999 1984 7ffd9b910ecc 1985 7ffd9b910eef VirtualProtect 1984->1985 1987 7ffd9b910f91 1985->1987

                                      Executed Functions

                                      Function 00007FFD9B9104FA Relevance: 1.6, APIs: 1, Instructions: 138memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 165 7ffd9b9104fa-7ffd9b91108f VirtualProtect 171 7ffd9b911091 165->171 172 7ffd9b911097-7ffd9b9110bf 165->172 171->172
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2458429799.00007FFD9B910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B910000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffd9b910000_System32.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 3860c9b8b7052648c7ea24add97769296c8b9b4755d7b1b9d9c66c781b2e54ad
                                      • Instruction ID: d798c9fc0c2a9496e8b4567adbf0eef6ab56d6b18f139fcebf9e270df6475d90
                                      • Opcode Fuzzy Hash: 3860c9b8b7052648c7ea24add97769296c8b9b4755d7b1b9d9c66c781b2e54ad
                                      • Instruction Fuzzy Hash: 2F414731B0CA584FDB18EBA9A8097F87BE0EF95321F04427FD049C7292DB6568468791
                                      Function 00007FFD9B910FC4 Relevance: 1.6, APIs: 1, Instructions: 126memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 179 7ffd9b910fc4-7ffd9b910fcb 180 7ffd9b910fcd-7ffd9b910fd5 179->180 181 7ffd9b910fd6-7ffd9b91108f VirtualProtect 179->181 180->181 185 7ffd9b911091 181->185 186 7ffd9b911097-7ffd9b9110bf 181->186 185->186
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2458429799.00007FFD9B910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B910000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffd9b910000_System32.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: eeedf9540e24218b59af81669bae7f040804f1d3fa8a94bddcfb0c4b9c9f5d5f
                                      • Instruction ID: b9dc7bf5aedaa916abc3dc41168812631eeb258dbffbda7b3e11a80164b90e31
                                      • Opcode Fuzzy Hash: eeedf9540e24218b59af81669bae7f040804f1d3fa8a94bddcfb0c4b9c9f5d5f
                                      • Instruction Fuzzy Hash: D1312830A0CB4C4FDB18DB98D846AF9BBE1EB59321F04426FD049C3292CB75A856CB91
                                      Function 00007FFD9B910ECC Relevance: 1.6, APIs: 1, Instructions: 126memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 173 7ffd9b910ecc-7ffd9b910f8f VirtualProtect 177 7ffd9b910f91 173->177 178 7ffd9b910f97-7ffd9b910fbf 173->178 177->178
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2458429799.00007FFD9B910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B910000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffd9b910000_System32.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: f78370be56ec829acae6e4a53f6649e69e359cc0bb0f9931d85a23b8814f2bd9
                                      • Instruction ID: dd9bec10f8fb965a7ff170961b5486e792d4b168e7f3007e6104d369816402bf
                                      • Opcode Fuzzy Hash: f78370be56ec829acae6e4a53f6649e69e359cc0bb0f9931d85a23b8814f2bd9
                                      • Instruction Fuzzy Hash: 5231E431A0CB5C8FDB18DB99D845AF9BBE1EB55721F04426FE049C3292CB64A846CB81
                                      Function 00007FFD9B910520 Relevance: 1.6, APIs: 1, Instructions: 119memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 187 7ffd9b910520-7ffd9b91108f VirtualProtect 192 7ffd9b911091 187->192 193 7ffd9b911097-7ffd9b9110bf 187->193 192->193
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2458429799.00007FFD9B910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B910000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffd9b910000_System32.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 8d48ddb84a8865b50134f5be5dab845cfb066a24fc626c0c4cff406aa1e2baa6
                                      • Instruction ID: 7ab9732df28671919513e5ab22d899dc3bac14a25d52290df64141f3831bae14
                                      • Opcode Fuzzy Hash: 8d48ddb84a8865b50134f5be5dab845cfb066a24fc626c0c4cff406aa1e2baa6
                                      • Instruction Fuzzy Hash: CC312631A0CA4C8FDB18DB9898456F9BBE1EB59311F04427FD049D3292CB71A8468781

                                      Execution Graph

                                      Execution Coverage:8.8%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:12
                                      Total number of Limit Nodes:0
                                      execution_graph 10750 7ffd9b935238 10751 7ffd9b935241 SetWindowsHookExW 10750->10751 10753 7ffd9b935311 10751->10753 10746 7ffd9b930ecc 10747 7ffd9b930eef VirtualProtect 10746->10747 10749 7ffd9b930f91 10747->10749 10754 7ffd9b9308b9 10755 7ffd9b9308cf 10754->10755 10755->10755 10757 7ffd9b930d2b 10755->10757 10758 7ffd9b930520 10755->10758 10759 7ffd9b930529 VirtualProtect 10758->10759 10761 7ffd9b931091 10759->10761 10761->10757

                                      Executed Functions

                                      Function 00007FFD9B935238 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 186 7ffd9b935238-7ffd9b93523f 187 7ffd9b935241-7ffd9b935249 186->187 188 7ffd9b93524a-7ffd9b9352bd 186->188 187->188 192 7ffd9b9352c3-7ffd9b9352c8 188->192 193 7ffd9b935349-7ffd9b93534d 188->193 195 7ffd9b9352cf-7ffd9b9352d0 192->195 194 7ffd9b9352d2-7ffd9b93530f SetWindowsHookExW 193->194 196 7ffd9b935311 194->196 197 7ffd9b935317-7ffd9b935348 194->197 195->194 196->197
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2994057538.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b930000_System32.jbxd
                                      Similarity
                                      • API ID: HookWindows
                                      • String ID:
                                      • API String ID: 2559412058-0
                                      • Opcode ID: 345b5122b1662c5b5899b375faeb4b932b5d578252449814bab611a3f520c963
                                      • Instruction ID: 3c1a46fdfc4fa9769d74660467e816d0037be388105555ebfca6479b852b76c3
                                      • Opcode Fuzzy Hash: 345b5122b1662c5b5899b375faeb4b932b5d578252449814bab611a3f520c963
                                      • Instruction Fuzzy Hash: F0410831A1CA5C8FDB18EF6C98566F9BBE1EF59321F00427ED019C3296CE64A85287C1
                                      Function 00007FFD9B9304FA Relevance: 1.6, APIs: 1, Instructions: 138memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 200 7ffd9b9304fa-7ffd9b93108f VirtualProtect 206 7ffd9b931091 200->206 207 7ffd9b931097-7ffd9b9310bf 200->207 206->207
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2994057538.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b930000_System32.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 743deb20f24d6b9bf9939618e8571f770ded857149b119ddbb85acc65db141ef
                                      • Instruction ID: 47d2e0a67c088219b612c79a26d481b7b378bfb6613e652faa22f8cfec93255b
                                      • Opcode Fuzzy Hash: 743deb20f24d6b9bf9939618e8571f770ded857149b119ddbb85acc65db141ef
                                      • Instruction Fuzzy Hash: 56412931B0CA5C4FDB18EBA9A8097F97BE1EF96321F04427FD049C3192DF6564468791
                                      Function 00007FFD9B930FC4 Relevance: 1.6, APIs: 1, Instructions: 126memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 208 7ffd9b930fc4-7ffd9b930fcb 209 7ffd9b930fcd-7ffd9b930fd5 208->209 210 7ffd9b930fd6-7ffd9b93108f VirtualProtect 208->210 209->210 214 7ffd9b931091 210->214 215 7ffd9b931097-7ffd9b9310bf 210->215 214->215
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2994057538.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b930000_System32.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 15689735c5a8bf62fedb3a38be063faced7e8d2e1811d95e2a557e4535ad46d5
                                      • Instruction ID: 38799540ce295c6f20acec7277adf402ee1f89c6eeab55974bedb50253adb0f1
                                      • Opcode Fuzzy Hash: 15689735c5a8bf62fedb3a38be063faced7e8d2e1811d95e2a557e4535ad46d5
                                      • Instruction Fuzzy Hash: AD312830A0CB4C4FDB18DB98D846AF9BBE1EB56321F04426FD049C3192CF75A856CB91
                                      Function 00007FFD9B930ECC Relevance: 1.6, APIs: 1, Instructions: 124memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 216 7ffd9b930ecc-7ffd9b930f8f VirtualProtect 220 7ffd9b930f91 216->220 221 7ffd9b930f97-7ffd9b930fbf 216->221 220->221
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2994057538.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b930000_System32.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 73511cabf359270e84b98a0e1fcfe86abae6917f1ce4b8c5ca1fced40e00a0c2
                                      • Instruction ID: 08ed0db7e6e304a5aaf096853873b09997291284069f2949de35e6416356a146
                                      • Opcode Fuzzy Hash: 73511cabf359270e84b98a0e1fcfe86abae6917f1ce4b8c5ca1fced40e00a0c2
                                      • Instruction Fuzzy Hash: D931E430A0CB5C8FDB18DB999845AF97BF1EF65721F04426FD049C3292CB60A846CB81
                                      Function 00007FFD9B930520 Relevance: 1.6, APIs: 1, Instructions: 119memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 222 7ffd9b930520-7ffd9b93108f VirtualProtect 227 7ffd9b931091 222->227 228 7ffd9b931097-7ffd9b9310bf 222->228 227->228
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2994057538.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b930000_System32.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 47b3b054fc4cbceee0adc73ec13dff991cd5546ba9deae58bcb63af00099f0b7
                                      • Instruction ID: 01a41bf76c31a301471c8250d1c80a0efe07b7ed884289f7e94fa6eb28130336
                                      • Opcode Fuzzy Hash: 47b3b054fc4cbceee0adc73ec13dff991cd5546ba9deae58bcb63af00099f0b7
                                      • Instruction Fuzzy Hash: 9B312631A0CA4C4FDB18DB9898457F9BBE1EB95311F04427FD04AD3192CF71A8468B81

                                      Execution Graph

                                      Execution Coverage:12.2%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:12
                                      Total number of Limit Nodes:0
                                      execution_graph 2021 7ffd9b9108b9 2022 7ffd9b9108cf 2021->2022 2022->2022 2024 7ffd9b910d2b 2022->2024 2025 7ffd9b910520 2022->2025 2026 7ffd9b910529 VirtualProtect 2025->2026 2028 7ffd9b911091 2026->2028 2028->2024 2029 7ffd9b9104fa 2030 7ffd9b910515 VirtualProtect 2029->2030 2032 7ffd9b911091 2030->2032 2017 7ffd9b910ecc 2018 7ffd9b910eef VirtualProtect 2017->2018 2020 7ffd9b910f91 2018->2020

                                      Executed Functions

                                      Function 00007FFD9B9104FA Relevance: 1.6, APIs: 1, Instructions: 138memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 165 7ffd9b9104fa-7ffd9b91108f VirtualProtect 171 7ffd9b911091 165->171 172 7ffd9b911097-7ffd9b9110bf 165->172 171->172
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000001A.00000002.2676950264.00007FFD9B910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B910000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_26_2_7ffd9b910000_System32.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 3860c9b8b7052648c7ea24add97769296c8b9b4755d7b1b9d9c66c781b2e54ad
                                      • Instruction ID: d798c9fc0c2a9496e8b4567adbf0eef6ab56d6b18f139fcebf9e270df6475d90
                                      • Opcode Fuzzy Hash: 3860c9b8b7052648c7ea24add97769296c8b9b4755d7b1b9d9c66c781b2e54ad
                                      • Instruction Fuzzy Hash: 2F414731B0CA584FDB18EBA9A8097F87BE0EF95321F04427FD049C7292DB6568468791
                                      Function 00007FFD9B910FC4 Relevance: 1.6, APIs: 1, Instructions: 126memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 179 7ffd9b910fc4-7ffd9b910fcb 180 7ffd9b910fcd-7ffd9b910fd5 179->180 181 7ffd9b910fd6-7ffd9b91108f VirtualProtect 179->181 180->181 185 7ffd9b911091 181->185 186 7ffd9b911097-7ffd9b9110bf 181->186 185->186
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000001A.00000002.2676950264.00007FFD9B910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B910000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_26_2_7ffd9b910000_System32.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: eeedf9540e24218b59af81669bae7f040804f1d3fa8a94bddcfb0c4b9c9f5d5f
                                      • Instruction ID: b9dc7bf5aedaa916abc3dc41168812631eeb258dbffbda7b3e11a80164b90e31
                                      • Opcode Fuzzy Hash: eeedf9540e24218b59af81669bae7f040804f1d3fa8a94bddcfb0c4b9c9f5d5f
                                      • Instruction Fuzzy Hash: D1312830A0CB4C4FDB18DB98D846AF9BBE1EB59321F04426FD049C3292CB75A856CB91
                                      Function 00007FFD9B910ECC Relevance: 1.6, APIs: 1, Instructions: 126memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 173 7ffd9b910ecc-7ffd9b910f8f VirtualProtect 177 7ffd9b910f91 173->177 178 7ffd9b910f97-7ffd9b910fbf 173->178 177->178
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000001A.00000002.2676950264.00007FFD9B910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B910000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_26_2_7ffd9b910000_System32.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: f78370be56ec829acae6e4a53f6649e69e359cc0bb0f9931d85a23b8814f2bd9
                                      • Instruction ID: dd9bec10f8fb965a7ff170961b5486e792d4b168e7f3007e6104d369816402bf
                                      • Opcode Fuzzy Hash: f78370be56ec829acae6e4a53f6649e69e359cc0bb0f9931d85a23b8814f2bd9
                                      • Instruction Fuzzy Hash: 5231E431A0CB5C8FDB18DB99D845AF9BBE1EB55721F04426FE049C3292CB64A846CB81
                                      Function 00007FFD9B910520 Relevance: 1.6, APIs: 1, Instructions: 119memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 187 7ffd9b910520-7ffd9b91108f VirtualProtect 192 7ffd9b911091 187->192 193 7ffd9b911097-7ffd9b9110bf 187->193 192->193
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000001A.00000002.2676950264.00007FFD9B910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B910000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_26_2_7ffd9b910000_System32.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 8d48ddb84a8865b50134f5be5dab845cfb066a24fc626c0c4cff406aa1e2baa6
                                      • Instruction ID: 7ab9732df28671919513e5ab22d899dc3bac14a25d52290df64141f3831bae14
                                      • Opcode Fuzzy Hash: 8d48ddb84a8865b50134f5be5dab845cfb066a24fc626c0c4cff406aa1e2baa6
                                      • Instruction Fuzzy Hash: CC312631A0CA4C8FDB18DB9898456F9BBE1EB59311F04427FD049D3292CB71A8468781