Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
x.exe

Overview

General Information

Sample name:x.exe
Analysis ID:1473982
MD5:e61141a7ae1bbdd5fb0434f2c946b566
SHA1:e3d273eaa76ab582fb5b838247e353d0ba7f5a91
SHA256:80fc8a632e482b50356c24f84a04f72dcec1c88d1259c5f8b121c5acc6135b93
Tags:exexworm
Infos:

Detection

AsyncRAT, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AsyncRAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • x.exe (PID: 5052 cmdline: "C:\Users\user\Desktop\x.exe" MD5: E61141A7AE1BBDD5FB0434F2C946B566)
    • powershell.exe (PID: 2788 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4040 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6284 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\java update (64 bit).exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6928 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java update (64 bit).exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["89.213.177.100"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.4"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
x.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    x.exeJoeSecurity_XWormYara detected XWormJoe Security
      x.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        x.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x81b0:$s6: VirtualBox
        • 0x810e:$s8: Win32_ComputerSystem
        • 0x8b5e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x8bfb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x8d10:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x880c:$cnc4: POST / HTTP/1.1

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\ProgramData\java update (64 bit).exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          C:\ProgramData\java update (64 bit).exeJoeSecurity_XWormYara detected XWormJoe Security
            C:\ProgramData\java update (64 bit).exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              C:\ProgramData\java update (64 bit).exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x81b0:$s6: VirtualBox
              • 0x810e:$s8: Win32_ComputerSystem
              • 0x8b5e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x8bfb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x8d10:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x880c:$cnc4: POST / HTTP/1.1

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000000.00000002.3330204780.00000000027F1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                00000000.00000002.3330204780.000000000283A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                  00000000.00000000.2081793686.0000000000502000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                    00000000.00000000.2081793686.0000000000502000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                      00000000.00000000.2081793686.0000000000502000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                      • 0x7fb0:$s6: VirtualBox
                      • 0x7f0e:$s8: Win32_ComputerSystem
                      • 0x895e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                      • 0x89fb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                      • 0x8b10:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                      • 0x860c:$cnc4: POST / HTTP/1.1
                      Click to see the 1 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      0.0.x.exe.500000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                        0.0.x.exe.500000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                          0.0.x.exe.500000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                            0.0.x.exe.500000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                            • 0x81b0:$s6: VirtualBox
                            • 0x810e:$s8: Win32_ComputerSystem
                            • 0x8b5e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                            • 0x8bfb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                            • 0x8d10:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                            • 0x880c:$cnc4: POST / HTTP/1.1

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\x.exe", ParentImage: C:\Users\user\Desktop\x.exe, ParentProcessId: 5052, ParentProcessName: x.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe', ProcessId: 2788, ProcessName: powershell.exe
                            Sigma detected: Change PowerShell Policies to an Insecure Level
                            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\x.exe", ParentImage: C:\Users\user\Desktop\x.exe, ParentProcessId: 5052, ParentProcessName: x.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe', ProcessId: 2788, ProcessName: powershell.exe
                            Sigma detected: Powershell Defender Exclusion
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\x.exe", ParentImage: C:\Users\user\Desktop\x.exe, ParentProcessId: 5052, ParentProcessName: x.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe', ProcessId: 2788, ProcessName: powershell.exe
                            Sigma detected: Startup Folder File Write
                            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\x.exe, ProcessId: 5052, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\java update (64 bit).lnk
                            Sigma detected: Non Interactive PowerShell Process Spawned
                            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\x.exe", ParentImage: C:\Users\user\Desktop\x.exe, ParentProcessId: 5052, ParentProcessName: x.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe', ProcessId: 2788, ProcessName: powershell.exe

                            Snort Signatures

                            Timestamp:07/16/24-06:25:03.741667
                            SID:2855924
                            Source Port:49719
                            Destination Port:7000
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:07/16/24-06:26:01.633601
                            SID:2852923
                            Source Port:49719
                            Destination Port:7000
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:07/16/24-06:26:03.286405
                            SID:2852874
                            Source Port:7000
                            Destination Port:49719
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:07/16/24-06:26:03.286405
                            SID:2852870
                            Source Port:7000
                            Destination Port:49719
                            Protocol:TCP
                            Classtype:A Network Trojan was detected

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: x.exeAvira: detected
                            Antivirus detection for dropped file
                            Source: C:\ProgramData\java update (64 bit).exeAvira: detection malicious, Label: TR/Spy.Gen
                            Found malware configuration
                            Source: x.exeMalware Configuration Extractor: Xworm {"C2 url": ["89.213.177.100"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.4"}
                            Multi AV Scanner detection for dropped file
                            Source: C:\ProgramData\java update (64 bit).exeReversingLabs: Detection: 76%
                            Multi AV Scanner detection for submitted file
                            Source: x.exeReversingLabs: Detection: 76%
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                            Machine Learning detection for dropped file
                            Source: C:\ProgramData\java update (64 bit).exeJoe Sandbox ML: detected
                            Machine Learning detection for sample
                            Source: x.exeJoe Sandbox ML: detected
                            Sample uses string decryption to hide its real strings
                            Source: x.exeString decryptor: 89.213.177.100
                            Source: x.exeString decryptor: 7000
                            Source: x.exeString decryptor: <123456789>
                            Source: x.exeString decryptor: <Xwormmm>
                            Source: x.exeString decryptor: XWorm V5.4
                            Source: x.exeString decryptor: USB.exe
                            Source: x.exeString decryptor: %ProgramData%
                            Source: x.exeString decryptor: java update (64 bit).exe
                            Source: x.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: x.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                            Networking

                            barindex
                            Snort IDS alert for network traffic
                            Source: TrafficSnort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 89.213.177.100:7000 -> 192.168.2.6:49719
                            Source: TrafficSnort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 89.213.177.100:7000 -> 192.168.2.6:49719
                            Source: TrafficSnort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.6:49719 -> 89.213.177.100:7000
                            Source: TrafficSnort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.6:49719 -> 89.213.177.100:7000
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorURLs: 89.213.177.100
                            Yara detected Generic Downloader
                            Source: Yara matchFile source: x.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.x.exe.500000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\ProgramData\java update (64 bit).exe, type: DROPPED
                            Source: global trafficTCP traffic: 192.168.2.6:49719 -> 89.213.177.100:7000
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                            Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                            Source: Joe Sandbox ViewASN Name: EDGEtaGCIComGB EDGEtaGCIComGB
                            Source: unknownDNS query: name: ip-api.com
                            Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.100
                            Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.100
                            Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.100
                            Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.100
                            Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.100
                            Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.100
                            Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.100
                            Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.100
                            Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.100
                            Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.100
                            Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.100
                            Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.100
                            Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.100
                            Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.100
                            Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.100
                            Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.100
                            Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.100
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficDNS traffic detected: DNS query: ip-api.com
                            Source: powershell.exe, 00000002.00000002.2175066686.000002CD639FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                            Source: powershell.exe, 00000005.00000002.2265322076.000002182DD06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m.
                            Source: powershell.exe, 00000005.00000002.2263789360.000002182DC10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                            Source: powershell.exe, 00000005.00000002.2263789360.000002182DC10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                            Source: powershell.exe, 0000000C.00000002.2460597766.000001AE36993000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                            Source: x.exe, java update (64 bit).exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                            Source: powershell.exe, 00000002.00000002.2167804276.000002CD5B2B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2250198480.0000021825452000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2400159540.0000024010072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2592725003.000001AE46B41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                            Source: powershell.exe, 0000000C.00000002.2463772548.000001AE36CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                            Source: powershell.exe, 00000002.00000002.2152858285.000002CD4B46A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2203473345.0000021815609000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2306120466.0000024000229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2463772548.000001AE36CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                            Source: x.exe, 00000000.00000002.3330204780.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2152858285.000002CD4B241000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2203473345.00000218153E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2306120466.0000024000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2463772548.000001AE36AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: powershell.exe, 00000002.00000002.2152858285.000002CD4B46A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2203473345.0000021815609000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2306120466.0000024000229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2463772548.000001AE36CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                            Source: powershell.exe, 0000000C.00000002.2463772548.000001AE36CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                            Source: powershell.exe, 00000002.00000002.2175066686.000002CD639FC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2265322076.000002182DD06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                            Source: powershell.exe, 0000000A.00000002.2427370462.00000240758E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co(
                            Source: powershell.exe, 00000002.00000002.2175066686.000002CD639FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.cots/MicrosoftP
                            Source: powershell.exe, 00000002.00000002.2152858285.000002CD4B241000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2203473345.00000218153E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2306120466.0000024000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2463772548.000001AE36AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                            Source: powershell.exe, 0000000C.00000002.2592725003.000001AE46B41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                            Source: powershell.exe, 0000000C.00000002.2592725003.000001AE46B41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                            Source: powershell.exe, 0000000C.00000002.2592725003.000001AE46B41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                            Source: powershell.exe, 0000000C.00000002.2463772548.000001AE36CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                            Source: powershell.exe, 00000002.00000002.2167804276.000002CD5B2B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2250198480.0000021825452000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2400159540.0000024010072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2592725003.000001AE46B41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                            Key, Mouse, Clipboard, Microphone and Screen Capturing

                            barindex
                            Yara detected AsyncRAT
                            Source: Yara matchFile source: x.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.x.exe.500000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.2081793686.0000000000502000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\ProgramData\java update (64 bit).exe, type: DROPPED
                            Contains functionality to log keystrokes (.Net Source)
                            Source: x.exe, XLogger.cs.Net Code: KeyboardLayout
                            Source: java update (64 bit).exe.0.dr, XLogger.cs.Net Code: KeyboardLayout

                            Operating System Destruction

                            barindex
                            Protects its processes via BreakOnTermination flag
                            Source: C:\Users\user\Desktop\x.exeProcess information set: 01 00 00 00 Jump to behavior

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: x.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 0.0.x.exe.500000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 00000000.00000000.2081793686.0000000000502000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: C:\ProgramData\java update (64 bit).exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: C:\Users\user\Desktop\x.exeCode function: 0_2_00007FFD346758B60_2_00007FFD346758B6
                            Source: C:\Users\user\Desktop\x.exeCode function: 0_2_00007FFD346706100_2_00007FFD34670610
                            Source: C:\Users\user\Desktop\x.exeCode function: 0_2_00007FFD346766620_2_00007FFD34676662
                            Source: C:\Users\user\Desktop\x.exeCode function: 0_2_00007FFD346717710_2_00007FFD34671771
                            Source: C:\Users\user\Desktop\x.exeCode function: 0_2_00007FFD346794200_2_00007FFD34679420
                            Source: C:\Users\user\Desktop\x.exeCode function: 0_2_00007FFD3467E7780_2_00007FFD3467E778
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD346856ED2_2_00007FFD346856ED
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34685EFA2_2_00007FFD34685EFA
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34685BFA2_2_00007FFD34685BFA
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34686FFA2_2_00007FFD34686FFA
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD3466BA6A5_2_00007FFD3466BA6A
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34665BFA5_2_00007FFD34665BFA
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34733CA15_2_00007FFD34733CA1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD34688EA010_2_00007FFD34688EA0
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD34685EFA10_2_00007FFD34685EFA
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD3468577A10_2_00007FFD3468577A
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD34688E4C10_2_00007FFD34688E4C
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD34685BFA10_2_00007FFD34685BFA
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD34753FF810_2_00007FFD34753FF8
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD3467B9FA12_2_00007FFD3467B9FA
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD34675EFA12_2_00007FFD34675EFA
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD34675BFA12_2_00007FFD34675BFA
                            Source: x.exe, 00000000.00000000.2081793686.0000000000502000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs x.exe
                            Source: x.exeBinary or memory string: OriginalFilenameXClient.exe4 vs x.exe
                            Source: x.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: x.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 0.0.x.exe.500000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 00000000.00000000.2081793686.0000000000502000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: C:\ProgramData\java update (64 bit).exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: x.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: x.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: x.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                            Source: java update (64 bit).exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: java update (64 bit).exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: java update (64 bit).exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                            Source: x.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: x.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: java update (64 bit).exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: java update (64 bit).exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@13/20@1/2
                            Source: C:\Users\user\Desktop\x.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\java update (64 bit).lnkJump to behavior
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6800:120:WilError_03
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2064:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_03
                            Source: C:\Users\user\Desktop\x.exeMutant created: \Sessions\1\BaseNamedObjects\Nu9nyO3CNn7y2AvB
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4072:120:WilError_03
                            Source: C:\Users\user\Desktop\x.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                            Source: x.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: x.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                            Source: C:\Users\user\Desktop\x.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\x.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: x.exeReversingLabs: Detection: 76%
                            Source: C:\Users\user\Desktop\x.exeFile read: C:\Users\user\Desktop\x.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\x.exe "C:\Users\user\Desktop\x.exe"
                            Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\java update (64 bit).exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java update (64 bit).exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\java update (64 bit).exe'Jump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java update (64 bit).exe'Jump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: scrrun.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: linkinfo.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: ntshrui.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: cscapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: avicap32.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: msvfw32.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\Desktop\x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                            Source: java update (64 bit).lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\ProgramData\java update (64 bit).exe
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                            Source: x.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                            Source: x.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                            Data Obfuscation

                            barindex
                            .NET source code contains method to dynamically call methods (often used by packers)
                            Source: x.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: x.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: x.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: java update (64 bit).exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: java update (64 bit).exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: java update (64 bit).exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                            .NET source code contains potential unpacker
                            Source: x.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                            Source: x.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                            Source: x.exe, Messages.cs.Net Code: Memory
                            Source: java update (64 bit).exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                            Source: java update (64 bit).exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                            Source: java update (64 bit).exe.0.dr, Messages.cs.Net Code: Memory
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3456D2A5 pushad ; iretd 2_2_00007FFD3456D2A6
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD3454D2A5 pushad ; iretd 5_2_00007FFD3454D2A6
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD3456D2A5 pushad ; iretd 10_2_00007FFD3456D2A6
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD346800BD pushad ; iretd 10_2_00007FFD346800C1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD3455D2A5 pushad ; iretd 12_2_00007FFD3455D2A6
                            Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\java update (64 bit).exeJump to dropped file
                            Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\java update (64 bit).exeJump to dropped file

                            Boot Survival

                            barindex
                            Yara detected AsyncRAT
                            Source: Yara matchFile source: x.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.x.exe.500000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.2081793686.0000000000502000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\ProgramData\java update (64 bit).exe, type: DROPPED
                            Source: C:\Users\user\Desktop\x.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\java update (64 bit).lnkJump to behavior
                            Source: C:\Users\user\Desktop\x.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\java update (64 bit).lnkJump to behavior

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Loading BitLocker PowerShell Module
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                            Malware Analysis System Evasion

                            barindex
                            Yara detected AsyncRAT
                            Source: Yara matchFile source: x.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.x.exe.500000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.2081793686.0000000000502000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\ProgramData\java update (64 bit).exe, type: DROPPED
                            Check if machine is in data center or colocation facility
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                            Source: C:\Users\user\Desktop\x.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                            Source: x.exe, 00000000.00000002.3330204780.00000000027F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                            Source: x.exe, java update (64 bit).exe.0.drBinary or memory string: SBIEDLL.DLLINFO
                            Source: C:\Users\user\Desktop\x.exeMemory allocated: E40000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\x.exeMemory allocated: 1A7F0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\Desktop\x.exeWindow / User API: threadDelayed 9396Jump to behavior
                            Source: C:\Users\user\Desktop\x.exeWindow / User API: threadDelayed 437Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3824Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5975Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6817Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2863Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7513Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1982Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1535Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8089Jump to behavior
                            Source: C:\Users\user\Desktop\x.exe TID: 7072Thread sleep time: -33204139332677172s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5904Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6912Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3132Thread sleep count: 7513 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3132Thread sleep count: 1982 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2876Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7036Thread sleep count: 1535 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 592Thread sleep count: 8089 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5560Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\x.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                            Source: C:\Users\user\Desktop\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\Desktop\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\Desktop\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: java update (64 bit).exe.0.drBinary or memory string: vmware
                            Source: x.exe, 00000000.00000002.3362013837.000000001B6A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                            Source: C:\Users\user\Desktop\x.exeProcess information queried: ProcessInformationJump to behavior

                            Anti Debugging

                            barindex
                            Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                            Source: C:\Users\user\Desktop\x.exeCode function: 0_2_00007FFD34676E61 CheckRemoteDebuggerPresent,0_2_00007FFD34676E61
                            Source: C:\Users\user\Desktop\x.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\Desktop\x.exeMemory allocated: page read and write | page guardJump to behavior

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Adds a directory exclusion to Windows Defender
                            Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe'
                            Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\java update (64 bit).exe'
                            Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\java update (64 bit).exe'Jump to behavior
                            Bypasses PowerShell execution policy
                            Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe'
                            Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\java update (64 bit).exe'Jump to behavior
                            Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java update (64 bit).exe'Jump to behavior
                            Source: C:\Users\user\Desktop\x.exeQueries volume information: C:\Users\user\Desktop\x.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\x.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                            Lowering of HIPS / PFW / Operating System Security Settings

                            barindex
                            Yara detected AsyncRAT
                            Source: Yara matchFile source: x.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.x.exe.500000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.2081793686.0000000000502000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\ProgramData\java update (64 bit).exe, type: DROPPED
                            Source: x.exe, 00000000.00000002.3362013837.000000001B719000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                            Source: C:\Users\user\Desktop\x.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                            Stealing of Sensitive Information

                            barindex
                            Yara detected XWorm
                            Source: Yara matchFile source: x.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.x.exe.500000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.3330204780.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.3330204780.000000000283A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.2081793686.0000000000502000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: x.exe PID: 5052, type: MEMORYSTR
                            Source: Yara matchFile source: C:\ProgramData\java update (64 bit).exe, type: DROPPED

                            Remote Access Functionality

                            barindex
                            Yara detected XWorm
                            Source: Yara matchFile source: x.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.x.exe.500000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.3330204780.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.3330204780.000000000283A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.2081793686.0000000000502000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: x.exe PID: 5052, type: MEMORYSTR
                            Source: Yara matchFile source: C:\ProgramData\java update (64 bit).exe, type: DROPPED

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                            Windows Management Instrumentation                            		1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		11
                            Disable or Modify Tools                            		1
                            Input Capture                            		1
                            File and Directory Discovery                            		Remote Services11
                            Archive Collected Data                            		1
                            Ingress Tool Transfer                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault Accounts1
                            Scheduled Task/Job                            		1
                            Scheduled Task/Job                            		11
                            Process Injection                            		1
                            Deobfuscate/Decode Files or Information                            		LSASS Memory23
                            System Information Discovery                            		Remote Desktop Protocol1
                            Input Capture                            		1
                            Encrypted Channel                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain Accounts1
                            PowerShell                            		2
                            Registry Run Keys / Startup Folder                            		1
                            Scheduled Task/Job                            		11
                            Obfuscated Files or Information                            		Security Account Manager541
                            Security Software Discovery                            		SMB/Windows Admin SharesData from Network Shared Drive1
                            Non-Standard Port                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                            Registry Run Keys / Startup Folder                            		2
                            Software Packing                            		NTDS1
                            Process Discovery                            		Distributed Component Object ModelInput Capture2
                            Non-Application Layer Protocol                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                            DLL Side-Loading                            		LSA Secrets151
                            Virtualization/Sandbox Evasion                            		SSHKeylogging12
                            Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                            Masquerading                            		Cached Domain Credentials1
                            Application Window Discovery                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
                            Virtualization/Sandbox Evasion                            		DCSync1
                            System Network Configuration Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                            Process Injection                            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1473982 Sample: x.exe Startdate: 16/07/2024 Architecture: WINDOWS Score: 100 32 ip-api.com 2->32 38 Snort IDS alert for network traffic 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 18 other signatures 2->44 8 x.exe 14 6 2->8         started        signatures3 process4 dnsIp5 34 ip-api.com 208.95.112.1, 49708, 80 TUT-ASUS United States 8->34 36 89.213.177.100, 49719, 7000 EDGEtaGCIComGB United Kingdom 8->36 30 C:\ProgramData\java update (64 bit).exe, PE32 8->30 dropped 46 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->46 48 Protects its processes via BreakOnTermination flag 8->48 50 Bypasses PowerShell execution policy 8->50 52 3 other signatures 8->52 13 powershell.exe 23 8->13         started        16 powershell.exe 22 8->16         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        file6 signatures7 process8 signatures9 54 Loading BitLocker PowerShell Module 13->54 22 conhost.exe 13->22         started        24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        process10

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            x.exe76%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                            x.exe100%AviraTR/Spy.Gen
                            x.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\ProgramData\java update (64 bit).exe100%AviraTR/Spy.Gen
                            C:\ProgramData\java update (64 bit).exe100%Joe Sandbox ML
                            C:\ProgramData\java update (64 bit).exe76%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            http://nuget.org/NuGet.exe0%URL Reputationsafe
                            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                            http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                            http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
                            http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                            https://contoso.com/0%URL Reputationsafe
                            https://nuget.org/nuget.exe0%URL Reputationsafe
                            https://contoso.com/License0%URL Reputationsafe
                            https://contoso.com/Icon0%URL Reputationsafe
                            https://aka.ms/pscore680%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                            http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                            http://www.microsoft.co(0%Avira URL Cloudsafe
                            http://crl.m.0%Avira URL Cloudsafe
                            http://www.microsoft.co0%Avira URL Cloudsafe
                            http://crl.m0%Avira URL Cloudsafe
                            http://www.microsoft.cots/MicrosoftP0%Avira URL Cloudsafe
                            http://crl.v0%Avira URL Cloudsafe
                            http://crl.micft.cMicRosof0%Avira URL Cloudsafe
                            https://github.com/Pester/Pester0%Avira URL Cloudsafe
                            http://crl.mic0%Avira URL Cloudsafe
                            89.213.177.1000%Avira URL Cloudsafe

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            ip-api.com
                            		208.95.112.1
                            		truetrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              89.213.177.100true
                              • Avira URL Cloud: safe
                              		unknown
                              http://ip-api.com/line/?fields=hostingfalse
                              • URL Reputation: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://www.microsoft.cots/MicrosoftPpowershell.exe, 00000002.00000002.2175066686.000002CD639FC000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2167804276.000002CD5B2B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2250198480.0000021825452000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2400159540.0000024010072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2592725003.000001AE46B41000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.microsoft.co(powershell.exe, 0000000A.00000002.2427370462.00000240758E9000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://crl.mpowershell.exe, 00000002.00000002.2175066686.000002CD639FC000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://crl.m.powershell.exe, 00000005.00000002.2265322076.000002182DD06000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000C.00000002.2463772548.000001AE36CF8000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2152858285.000002CD4B46A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2203473345.0000021815609000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2306120466.0000024000229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2463772548.000001AE36CF8000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000C.00000002.2463772548.000001AE36CF8000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2152858285.000002CD4B46A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2203473345.0000021815609000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2306120466.0000024000229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2463772548.000001AE36CF8000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/powershell.exe, 0000000C.00000002.2592725003.000001AE46B41000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2167804276.000002CD5B2B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2250198480.0000021825452000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2400159540.0000024010072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2592725003.000001AE46B41000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.microsoft.copowershell.exe, 00000002.00000002.2175066686.000002CD639FC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2265322076.000002182DD06000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://contoso.com/Licensepowershell.exe, 0000000C.00000002.2592725003.000001AE46B41000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://crl.micpowershell.exe, 00000005.00000002.2263789360.000002182DC10000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://contoso.com/Iconpowershell.exe, 0000000C.00000002.2592725003.000001AE46B41000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://crl.micft.cMicRosofpowershell.exe, 00000005.00000002.2263789360.000002182DC10000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://aka.ms/pscore68powershell.exe, 00000002.00000002.2152858285.000002CD4B241000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2203473345.00000218153E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2306120466.0000024000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2463772548.000001AE36AD1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namex.exe, 00000000.00000002.3330204780.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2152858285.000002CD4B241000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2203473345.00000218153E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2306120466.0000024000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2463772548.000001AE36AD1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://crl.vpowershell.exe, 0000000C.00000002.2460597766.000001AE36993000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://github.com/Pester/Pesterpowershell.exe, 0000000C.00000002.2463772548.000001AE36CF8000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              208.95.112.1
                              		ip-api.comUnited States
                              		53334TUT-ASUStrue
                              89.213.177.100
                              		unknownUnited Kingdom
                              		8851EDGEtaGCIComGBtrue

                              General Information

                              Joe Sandbox version:40.0.0 Tourmaline
                              Analysis ID:1473982
                              Start date and time:2024-07-16 06:23:04 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 6m 9s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:16
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:x.exe
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@13/20@1/2
                              EGA Information:
                              • Successful, ratio: 20%
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 48
                              • Number of non-executed functions: 6
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target powershell.exe, PID 2788 because it is empty
                              • Execution Graph export aborted for target powershell.exe, PID 4040 because it is empty
                              • Execution Graph export aborted for target powershell.exe, PID 6284 because it is empty
                              • Execution Graph export aborted for target powershell.exe, PID 6928 because it is empty
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtCreateKey calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                              • VT rate limit hit for: x.exe

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              00:23:56API Interceptor46x Sleep call for process: powershell.exe modified
                              00:24:48API Interceptor506743x Sleep call for process: x.exe modified
                              06:24:52AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\java update (64 bit).lnk

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              208.95.112.1DOC20240715_00034.bat.exeGet hashmaliciousGuLoaderBrowse
                              • ip-api.com/line/?fields=hosting
                              svchost.exeGet hashmaliciousJLORATBrowse
                              • ip-api.com/json/?fields=status,message,country,countryCode,region,regionName,city,zip,lat,lon,timezone,isp,org,reverse,mobile,proxy,query
                              rPago.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • ip-api.com/line/?fields=hosting
                              SecuriteInfo.com.Trojan.Win64.Agent.24802.8298.exeGet hashmaliciousJLORATBrowse
                              • ip-api.com/json/?fields=status,message,country,countryCode,region,regionName,city,zip,lat,lon,timezone,isp,org,reverse,mobile,proxy,query
                              mano.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • ip-api.com/line/?fields=hosting
                              mano.docGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • ip-api.com/line/?fields=hosting
                              509-442.docx.docGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • ip-api.com/line/?fields=hosting
                              doc20240715-00014.bat.exeGet hashmaliciousGuLoaderBrowse
                              • ip-api.com/line/?fields=hosting
                              Great Lake - Quote#474701.exeGet hashmaliciousAgentTeslaBrowse
                              • ip-api.com/line/?fields=hosting
                              Solicitud urgente de presupuestoNueva colaboraci#U00f3n pdf.exeGet hashmaliciousAgentTeslaBrowse
                              • ip-api.com/line/?fields=hosting

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              ip-api.comDOC20240715_00034.bat.exeGet hashmaliciousGuLoaderBrowse
                              • 208.95.112.1
                              SecuriteInfo.com.Program.Unwanted.5466.26571.15059.exeGet hashmaliciousUnknownBrowse
                              • 51.77.64.70
                              SecuriteInfo.com.Program.Unwanted.5466.26571.15059.exeGet hashmaliciousUnknownBrowse
                              • 51.77.64.70
                              Hilcorp.pdfGet hashmaliciousUnknownBrowse
                              • 51.77.64.70
                              svchost.exeGet hashmaliciousJLORATBrowse
                              • 208.95.112.1
                              rPago.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • 208.95.112.1
                              SecuriteInfo.com.Trojan.Win64.Agent.24802.8298.exeGet hashmaliciousJLORATBrowse
                              • 208.95.112.1
                              mano.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • 208.95.112.1
                              mano.docGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • 208.95.112.1
                              509-442.docx.docGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • 208.95.112.1

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              EDGEtaGCIComGBbotx.arm6.elfGet hashmaliciousMiraiBrowse
                              • 212.38.80.100
                              Setup.exeGet hashmaliciousAsyncRAT, HTMLPhisher, Clipboard Hijacker, Phorpiex, PureLog Stealer, Raccoon Stealer v2, RedLineBrowse
                              • 89.213.177.81
                              lkHUYpJ8S7.exeGet hashmaliciousNjratBrowse
                              • 89.213.177.81
                              sevchost.exeGet hashmaliciousXWormBrowse
                              • 89.213.177.81
                              test.exeGet hashmaliciousXWormBrowse
                              • 89.213.177.81
                              XClient.exeGet hashmaliciousXWormBrowse
                              • 89.213.177.81
                              ServerManager.exeGet hashmaliciousXWormBrowse
                              • 89.213.177.81
                              MicrosoftService.exeGet hashmaliciousXWormBrowse
                              • 89.213.177.81
                              f6RyWmGZLw.elfGet hashmaliciousUnknownBrowse
                              • 217.144.153.241
                              c5018a3915e8a9de41e083f7936c2d232b9a73ba41c8c07fb7b2d90d5f5d8e8e_dump.exeGet hashmaliciousSystemBCBrowse
                              • 185.20.35.63
                              TUT-ASUSDOC20240715_00034.bat.exeGet hashmaliciousGuLoaderBrowse
                              • 208.95.112.1
                              svchost.exeGet hashmaliciousJLORATBrowse
                              • 208.95.112.1
                              rPago.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • 208.95.112.1
                              SecuriteInfo.com.Trojan.Win64.Agent.24802.8298.exeGet hashmaliciousJLORATBrowse
                              • 208.95.112.1
                              mano.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • 208.95.112.1
                              mano.docGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • 208.95.112.1
                              509-442.docx.docGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • 208.95.112.1
                              doc20240715-00014.bat.exeGet hashmaliciousGuLoaderBrowse
                              • 208.95.112.1
                              Great Lake - Quote#474701.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              Solicitud urgente de presupuestoNueva colaboraci#U00f3n pdf.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\ProgramData\java update (64 bit).exe

                              Download File
                              Process:C:\Users\user\Desktop\x.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):44544
                              Entropy (8bit):5.64110007140699
                              Encrypted:false
                              SSDEEP:768:mZzGU8kyq5bzbTfFX8WuFZ4sJF5PC9O9E68OMhy3/qQnMN:Czf95/b7J89/Fc9UE68OMInnMN
                              MD5:E61141A7AE1BBDD5FB0434F2C946B566
                              SHA1:E3D273EAA76AB582FB5B838247E353D0BA7F5A91
                              SHA-256:80FC8A632E482B50356C24F84A04F72DCEC1C88D1259C5F8B121C5ACC6135B93
                              SHA-512:23B02D8274E3EE73B882579017A8F12AB96F3B5B545F608ED8A84DE56787A00BCE06A4236F73951DFEB860F5817F8CC090C37B648A343A9CFE81332F967E11D6
                              Malicious:true
                              Yara Hits:
                              • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\ProgramData\java update (64 bit).exe, Author: Joe Security
                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\java update (64 bit).exe, Author: Joe Security
                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\java update (64 bit).exe, Author: Joe Security
                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\java update (64 bit).exe, Author: ditekSHen
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 76%
                              Reputation:low
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... .f................................ ........@.. ....................................@.................................|...O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......|]...Z............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:modified
                              Size (bytes):64
                              Entropy (8bit):0.34726597513537405
                              Encrypted:false
                              SSDEEP:3:Nlll:Nll
                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:@...e...........................................................

                              C:\Users\user\AppData\Local\Temp\Log.tmp

                              Download File
                              Process:C:\Users\user\Desktop\x.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):29
                              Entropy (8bit):3.598349098128234
                              Encrypted:false
                              SSDEEP:3:rRSFYJKXzovNsra:EFYJKDoWra
                              MD5:2C11513C4FAB02AEDEE23EC05A2EB3CC
                              SHA1:59177C177B2546FBD8EC7688BAD19D08D32640DE
                              SHA-256:BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
                              SHA-512:08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
                              Malicious:false
                              Reputation:moderate, very likely benign file
                              Preview:....### explorer ###..[WIN]r

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4kgxjo2a.h14.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4n4xj43d.tvs.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5tw3tlwy.vmf.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5zyvb5j4.wjv.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b3auqxqp.ypd.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bbtrwh01.qp1.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cuvpbk5g.23y.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dyyekuld.bsr.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gsdh0jlc.iqk.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pp3di0oj.b4a.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_prmtbr1l.c3e.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qqsjttzh.ysf.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x35coq0l.cfe.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xydc1ujy.3zv.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ylb4k0jh.0kv.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yshen41j.gbz.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\java update (64 bit).lnk

                              Download File
                              Process:C:\Users\user\Desktop\x.exe
                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Jul 16 03:24:48 2024, mtime=Tue Jul 16 03:24:48 2024, atime=Tue Jul 16 03:24:48 2024, length=44544, window=hide
                              Category:dropped
                              Size (bytes):730
                              Entropy (8bit):4.645962492921371
                              Encrypted:false
                              SSDEEP:12:8IFRcl/W3e+SJ9uNjAjhx8/D6bFEWMmV:8LAqupA1k+FEJm
                              MD5:C1234D33DD15BC3146D54DB478294F3B
                              SHA1:1D78534BCD5DCDE5F748F7FA3EDE9FA12BBBBFD7
                              SHA-256:392323CA11A4A7D802BFB0ACDD11AD50D1C31496652366145AEA1882E427ACC7
                              SHA-512:A50C202FE561A8E325B1B98F4CFE2D21C1373D111CAF9CAC596147C26E0EB03B5AEA67AD5E959B99CD2BE5D70C9A8A40C70064EBF8EF6F5759CBC40A9DF66685
                              Malicious:false
                              Preview:L..................F.... ....*.8.....*.8.....*.8................................P.O. .:i.....+00.../C:\...................`.1......X.". PROGRA~3..H......O.I.X."....g.....................B.).P.r.o.g.r.a.m.D.a.t.a.....~.2......X.# JAVAUP~1.EXE..b.......X.#.X.#..........................DW..j.a.v.a. .u.p.d.a.t.e. .(.6.4. .b.i.t.)...e.x.e.......V...............-.......U...........4.i].....C:\ProgramData\java update (64 bit).exe..?.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.j.a.v.a. .u.p.d.a.t.e. .(.6.4. .b.i.t.)...e.x.e.`.......X.......910646...........hT..CrF.f4... ...(K+C...-...-$..hT..CrF.f4... ...(K+C...-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):5.64110007140699
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                              • Win32 Executable (generic) a (10002005/4) 49.75%
                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                              • Windows Screen Saver (13104/52) 0.07%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              File name:x.exe
                              File size:44'544 bytes
                              MD5:e61141a7ae1bbdd5fb0434f2c946b566
                              SHA1:e3d273eaa76ab582fb5b838247e353d0ba7f5a91
                              SHA256:80fc8a632e482b50356c24f84a04f72dcec1c88d1259c5f8b121c5acc6135b93
                              SHA512:23b02d8274e3ee73b882579017a8f12ab96f3b5b545f608ed8a84de56787a00bce06a4236f73951dfeb860f5817f8cc090c37b648a343a9cfe81332f967e11d6
                              SSDEEP:768:mZzGU8kyq5bzbTfFX8WuFZ4sJF5PC9O9E68OMhy3/qQnMN:Czf95/b7J89/Fc9UE68OMInnMN
                              TLSH:BF135B4477C54222E1FEABF919B366460774EA135913DB5E0CE88E9A3F337C48A417D2
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... .f................................. ........@.. ....................................@................................

                              File Icon

                              Icon Hash:4df4f2f2d0d8f845

                              Static PE Info

                              General

                              Entrypoint:0x40b7ce
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Time Stamp:0x6695201A [Mon Jul 15 13:11:54 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb77c0x4f.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x10e8.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000x97d40x980005f9555f9575837836a3ff75baf31010False0.49300986842105265data5.709290052419686IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rsrc0xc0000x10e80x1200b75a2d8ca535aa7ea7de2f801716f856False0.3784722222222222data4.916182694691449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xe0000xc0x200df2288769e8c749a94aac84982c6fd4fFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_ICON0xc1900x128Device independent bitmap graphic, 16 x 32 x 4, image size 00.46959459459459457
                              RT_ICON0xc2b80x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.36560693641618497
                              RT_ICON0xc8200x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.4441489361702128
                              RT_GROUP_ICON0xcc880x30data0.7708333333333334
                              RT_VERSION0xccb80x244data0.4724137931034483
                              RT_MANIFEST0xcefc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Network Behavior

                              Snort IDS Alerts

                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                              07/16/24-06:25:03.741667TCP2855924ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound497197000192.168.2.689.213.177.100
                              07/16/24-06:26:01.633601TCP2852923ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)497197000192.168.2.689.213.177.100
                              07/16/24-06:26:03.286405TCP2852874ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M270004971989.213.177.100192.168.2.6
                              07/16/24-06:26:03.286405TCP2852870ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes70004971989.213.177.100192.168.2.6

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jul 16, 2024 06:23:55.900763035 CEST4970880192.168.2.6208.95.112.1
                              Jul 16, 2024 06:23:55.906167984 CEST8049708208.95.112.1192.168.2.6
                              Jul 16, 2024 06:23:55.906232119 CEST4970880192.168.2.6208.95.112.1
                              Jul 16, 2024 06:23:55.907084942 CEST4970880192.168.2.6208.95.112.1
                              Jul 16, 2024 06:23:55.912410975 CEST8049708208.95.112.1192.168.2.6
                              Jul 16, 2024 06:23:56.374176025 CEST8049708208.95.112.1192.168.2.6
                              Jul 16, 2024 06:23:56.425908089 CEST4970880192.168.2.6208.95.112.1
                              Jul 16, 2024 06:24:49.419214964 CEST497197000192.168.2.689.213.177.100
                              Jul 16, 2024 06:24:49.424171925 CEST70004971989.213.177.100192.168.2.6
                              Jul 16, 2024 06:24:49.424423933 CEST497197000192.168.2.689.213.177.100
                              Jul 16, 2024 06:24:49.470091105 CEST497197000192.168.2.689.213.177.100
                              Jul 16, 2024 06:24:49.475109100 CEST70004971989.213.177.100192.168.2.6
                              Jul 16, 2024 06:25:03.272269011 CEST70004971989.213.177.100192.168.2.6
                              Jul 16, 2024 06:25:03.316817045 CEST497197000192.168.2.689.213.177.100
                              Jul 16, 2024 06:25:03.741667032 CEST497197000192.168.2.689.213.177.100
                              Jul 16, 2024 06:25:03.746709108 CEST70004971989.213.177.100192.168.2.6
                              Jul 16, 2024 06:25:04.136599064 CEST70004971989.213.177.100192.168.2.6
                              Jul 16, 2024 06:25:04.138923883 CEST497197000192.168.2.689.213.177.100
                              Jul 16, 2024 06:25:04.144242048 CEST70004971989.213.177.100192.168.2.6
                              Jul 16, 2024 06:25:05.021368980 CEST8049708208.95.112.1192.168.2.6
                              Jul 16, 2024 06:25:05.021572113 CEST4970880192.168.2.6208.95.112.1
                              Jul 16, 2024 06:25:18.020339012 CEST497197000192.168.2.689.213.177.100
                              Jul 16, 2024 06:25:18.025530100 CEST70004971989.213.177.100192.168.2.6
                              Jul 16, 2024 06:25:18.396919966 CEST70004971989.213.177.100192.168.2.6
                              Jul 16, 2024 06:25:18.398941994 CEST497197000192.168.2.689.213.177.100
                              Jul 16, 2024 06:25:18.403765917 CEST70004971989.213.177.100192.168.2.6
                              Jul 16, 2024 06:25:32.301580906 CEST497197000192.168.2.689.213.177.100
                              Jul 16, 2024 06:25:32.306704044 CEST70004971989.213.177.100192.168.2.6
                              Jul 16, 2024 06:25:32.673635960 CEST70004971989.213.177.100192.168.2.6
                              Jul 16, 2024 06:25:32.723069906 CEST497197000192.168.2.689.213.177.100
                              Jul 16, 2024 06:25:32.791596889 CEST497197000192.168.2.689.213.177.100
                              Jul 16, 2024 06:25:32.796497107 CEST70004971989.213.177.100192.168.2.6
                              Jul 16, 2024 06:25:33.270569086 CEST70004971989.213.177.100192.168.2.6
                              Jul 16, 2024 06:25:33.316957951 CEST497197000192.168.2.689.213.177.100
                              Jul 16, 2024 06:25:36.380846024 CEST4970880192.168.2.6208.95.112.1
                              Jul 16, 2024 06:25:36.386050940 CEST8049708208.95.112.1192.168.2.6
                              Jul 16, 2024 06:25:46.582659960 CEST497197000192.168.2.689.213.177.100
                              Jul 16, 2024 06:25:46.588079929 CEST70004971989.213.177.100192.168.2.6
                              Jul 16, 2024 06:25:46.955250025 CEST70004971989.213.177.100192.168.2.6
                              Jul 16, 2024 06:25:46.956819057 CEST497197000192.168.2.689.213.177.100
                              Jul 16, 2024 06:25:46.961697102 CEST70004971989.213.177.100192.168.2.6
                              Jul 16, 2024 06:26:01.113825083 CEST497197000192.168.2.689.213.177.100
                              Jul 16, 2024 06:26:01.118921995 CEST70004971989.213.177.100192.168.2.6
                              Jul 16, 2024 06:26:01.632663965 CEST70004971989.213.177.100192.168.2.6
                              Jul 16, 2024 06:26:01.633600950 CEST497197000192.168.2.689.213.177.100
                              Jul 16, 2024 06:26:01.638603926 CEST70004971989.213.177.100192.168.2.6
                              Jul 16, 2024 06:26:03.286405087 CEST70004971989.213.177.100192.168.2.6
                              Jul 16, 2024 06:26:03.332389116 CEST497197000192.168.2.689.213.177.100

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jul 16, 2024 06:23:55.857305050 CEST6056553192.168.2.61.1.1.1
                              Jul 16, 2024 06:23:55.864526987 CEST53605651.1.1.1192.168.2.6

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Jul 16, 2024 06:23:55.857305050 CEST192.168.2.61.1.1.10x3d8cStandard query (0)ip-api.comA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Jul 16, 2024 06:23:55.864526987 CEST1.1.1.1192.168.2.60x3d8cNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • ip-api.com

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.649708208.95.112.1805052C:\Users\user\Desktop\x.exe
                              TimestampBytes transferredDirectionData
                              Jul 16, 2024 06:23:55.907084942 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                              Host: ip-api.com
                              Connection: Keep-Alive
                              Jul 16, 2024 06:23:56.374176025 CEST175INHTTP/1.1 200 OK
                              Date: Tue, 16 Jul 2024 04:23:55 GMT
                              Content-Type: text/plain; charset=utf-8
                              Content-Length: 6
                              Access-Control-Allow-Origin: *
                              X-Ttl: 60
                              X-Rl: 44
                              Data Raw: 66 61 6c 73 65 0a
                              Data Ascii: false


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:00:23:51
                              Start date:16/07/2024
                              Path:C:\Users\user\Desktop\x.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Users\user\Desktop\x.exe"
                              Imagebase:0x500000
                              File size:44'544 bytes
                              MD5 hash:E61141A7AE1BBDD5FB0434F2C946B566
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3330204780.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3330204780.000000000283A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.2081793686.0000000000502000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2081793686.0000000000502000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2081793686.0000000000502000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                              Reputation:low
                              Has exited:false

                              General

                              Target ID:2
                              Start time:00:23:55
                              Start date:16/07/2024
                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe'
                              Imagebase:0x7ff6e3d50000
                              File size:452'608 bytes
                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:3
                              Start time:00:23:55
                              Start date:16/07/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:5
                              Start time:00:24:01
                              Start date:16/07/2024
                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'
                              Imagebase:0x7ff6e3d50000
                              File size:452'608 bytes
                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:6
                              Start time:00:24:01
                              Start date:16/07/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:10
                              Start time:00:24:11
                              Start date:16/07/2024
                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\java update (64 bit).exe'
                              Imagebase:0x7ff6e3d50000
                              File size:452'608 bytes
                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:11
                              Start time:00:24:11
                              Start date:16/07/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:12
                              Start time:00:24:26
                              Start date:16/07/2024
                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java update (64 bit).exe'
                              Imagebase:0x7ff6e3d50000
                              File size:452'608 bytes
                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:13
                              Start time:00:24:26
                              Start date:16/07/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:19.5%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:15.8%
                                Total number of Nodes:19
                                Total number of Limit Nodes:0
                                execution_graph 5602 7ffd34676e61 5603 7ffd34676eae CheckRemoteDebuggerPresent 5602->5603 5605 7ffd34676f1f 5603->5605 5590 7ffd34678a0d 5591 7ffd34678a3f RtlSetProcessIsCritical 5590->5591 5593 7ffd34678af2 5591->5593 5594 7ffd34678dad 5595 7ffd34678dbf 5594->5595 5598 7ffd346783c0 5595->5598 5597 7ffd34678dfb 5600 7ffd346783c9 SetWindowsHookExW 5598->5600 5601 7ffd34679031 5600->5601 5601->5597 5610 7ffd34678f58 5612 7ffd34678f61 SetWindowsHookExW 5610->5612 5613 7ffd34679031 5612->5613 5606 7ffd34678d65 5607 7ffd34678d7b 5606->5607 5608 7ffd346783c0 SetWindowsHookExW 5607->5608 5609 7ffd34678dfb 5607->5609 5608->5609

                                Executed Functions

                                Function 00007FFD34679420 Relevance: 2.4, Strings: 1, Instructions: 1146COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 29 7ffd34679420-7ffd3467d783 31 7ffd3467d7cd-7ffd3467d7e0 29->31 32 7ffd3467d785-7ffd3467d790 call 7ffd34670640 29->32 33 7ffd3467d7e2-7ffd3467d7ff 31->33 34 7ffd3467d856 31->34 36 7ffd3467d795-7ffd3467d7e0 32->36 38 7ffd3467d85b-7ffd3467d870 33->38 40 7ffd3467d801-7ffd3467d851 call 7ffd3467b4e0 33->40 34->38 36->33 36->34 44 7ffd3467d872-7ffd3467d889 call 7ffd34670830 call 7ffd34670650 38->44 45 7ffd3467d88e-7ffd3467d8a3 38->45 65 7ffd3467e438-7ffd3467e446 40->65 44->65 52 7ffd3467d8da-7ffd3467d8ef 45->52 53 7ffd3467d8a5-7ffd3467d8d5 call 7ffd34670830 45->53 63 7ffd3467d902-7ffd3467d917 52->63 64 7ffd3467d8f1-7ffd3467d8fd call 7ffd3467ace8 52->64 53->65 72 7ffd3467d95d-7ffd3467d972 63->72 73 7ffd3467d919-7ffd3467d91c 63->73 64->65 78 7ffd3467d974-7ffd3467d977 72->78 79 7ffd3467d9b3-7ffd3467d9c8 72->79 73->34 74 7ffd3467d922-7ffd3467d92d 73->74 74->34 77 7ffd3467d933-7ffd3467d958 call 7ffd34670628 call 7ffd3467ace8 74->77 77->65 78->34 81 7ffd3467d97d-7ffd3467d988 78->81 86 7ffd3467d9ca-7ffd3467d9cd 79->86 87 7ffd3467d9f5-7ffd3467da0a 79->87 81->34 84 7ffd3467d98e-7ffd3467d9ae call 7ffd34670628 call 7ffd34679470 81->84 84->65 86->34 89 7ffd3467d9d3-7ffd3467d9f0 call 7ffd34670628 call 7ffd34679478 86->89 96 7ffd3467dae2-7ffd3467daf7 87->96 97 7ffd3467da10-7ffd3467da5c call 7ffd346705b0 87->97 89->65 105 7ffd3467daf9-7ffd3467dafc 96->105 106 7ffd3467db16-7ffd3467db2b 96->106 97->34 130 7ffd3467da62-7ffd3467da9a call 7ffd34672490 97->130 105->34 107 7ffd3467db02-7ffd3467db11 call 7ffd34679450 105->107 114 7ffd3467db4d-7ffd3467db62 106->114 115 7ffd3467db2d-7ffd3467db30 106->115 107->65 121 7ffd3467db64-7ffd3467db7d 114->121 122 7ffd3467db82-7ffd3467db97 114->122 115->34 116 7ffd3467db36-7ffd3467db48 call 7ffd34679450 115->116 116->65 121->65 127 7ffd3467db99-7ffd3467dbb2 122->127 128 7ffd3467dbb7-7ffd3467dbcc 122->128 127->65 133 7ffd3467dbce-7ffd3467dbe7 128->133 134 7ffd3467dbec-7ffd3467dc01 128->134 130->34 147 7ffd3467daa0-7ffd3467dadd call 7ffd3467acf8 130->147 133->65 140 7ffd3467dc03-7ffd3467dc06 134->140 141 7ffd3467dc2a-7ffd3467dc3f 134->141 140->34 142 7ffd3467dc0c-7ffd3467dc25 140->142 148 7ffd3467dcdf-7ffd3467dcf4 141->148 149 7ffd3467dc45-7ffd3467dcbd 141->149 142->65 147->65 155 7ffd3467dd0c-7ffd3467dd21 148->155 156 7ffd3467dcf6-7ffd3467dd07 148->156 149->34 176 7ffd3467dcc3-7ffd3467dcda 149->176 163 7ffd3467ddc1-7ffd3467ddd6 155->163 164 7ffd3467dd27-7ffd3467dd40 155->164 156->65 170 7ffd3467ddee-7ffd3467de03 163->170 171 7ffd3467ddd8-7ffd3467dde9 163->171 164->163 177 7ffd3467de44-7ffd3467de59 170->177 178 7ffd3467de05-7ffd3467de3f call 7ffd34670af0 call 7ffd3467b4e0 170->178 171->65 176->65 182 7ffd3467df00-7ffd3467df15 177->182 183 7ffd3467de5f-7ffd3467defb call 7ffd34670af0 call 7ffd3467b4e0 177->183 178->65 189 7ffd3467dfa3-7ffd3467dfb8 182->189 190 7ffd3467df1b-7ffd3467df1e 182->190 183->65 197 7ffd3467dfcc-7ffd3467dfe1 189->197 198 7ffd3467dfba-7ffd3467dfc7 call 7ffd3467b4e0 189->198 191 7ffd3467df20-7ffd3467df2b 190->191 192 7ffd3467df98-7ffd3467df9d 190->192 191->192 195 7ffd3467df2d-7ffd3467df96 call 7ffd34670af0 call 7ffd3467b4e0 191->195 206 7ffd3467df9e 192->206 195->206 210 7ffd3467dfe3-7ffd3467e01d call 7ffd34670af0 call 7ffd3467b4e0 197->210 211 7ffd3467e022-7ffd3467e037 197->211 198->65 206->65 210->65 218 7ffd3467e0c2-7ffd3467e0d7 211->218 219 7ffd3467e03d-7ffd3467e04e 211->219 230 7ffd3467e0d9-7ffd3467e0dc 218->230 231 7ffd3467e117-7ffd3467e12c 218->231 219->34 228 7ffd3467e054-7ffd3467e064 call 7ffd34670620 219->228 240 7ffd3467e0a0-7ffd3467e0bd call 7ffd34670620 call 7ffd34670628 call 7ffd34679428 228->240 241 7ffd3467e066-7ffd3467e09b call 7ffd3467b4e0 228->241 230->34 234 7ffd3467e0e2-7ffd3467e112 call 7ffd34670618 call 7ffd34670628 call 7ffd34679428 230->234 242 7ffd3467e172-7ffd3467e187 231->242 243 7ffd3467e12e-7ffd3467e16d call 7ffd3467b1a0 call 7ffd3467b9d8 call 7ffd34679430 231->243 234->65 240->65 241->65 260 7ffd3467e1f1-7ffd3467e206 242->260 261 7ffd3467e189-7ffd3467e1ec call 7ffd34670af0 call 7ffd3467b4e0 242->261 243->65 260->65 280 7ffd3467e20c-7ffd3467e213 260->280 261->65 284 7ffd3467e226-7ffd3467e340 call 7ffd3467ad18 call 7ffd3467ad28 call 7ffd3467ad38 call 7ffd3467ad48 call 7ffd34677b80 call 7ffd3467ad58 call 7ffd3467ad28 call 7ffd3467ad38 280->284 285 7ffd3467e215-7ffd3467e21f call 7ffd3467ad08 280->285 320 7ffd3467e342-7ffd3467e346 284->320 321 7ffd3467e3b1-7ffd3467e3c6 call 7ffd34670af0 284->321 285->284 323 7ffd3467e348-7ffd3467e3a7 call 7ffd3467ad68 call 7ffd3467ad78 320->323 324 7ffd3467e3c7-7ffd3467e437 call 7ffd34670630 call 7ffd3467b4e0 320->324 321->324 323->321 324->65
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.3370304242.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd34670000_x.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID: 0-3916222277
                                • Opcode ID: 01f8cdb8f639a408c4deb009fb6576c500efc3646aee7a64c16edf527c88c417
                                • Instruction ID: 1a56c2f97c189a304eb9a949cc57fecabea52f8d193a9f8c4d036c044dc96678
                                • Opcode Fuzzy Hash: 01f8cdb8f639a408c4deb009fb6576c500efc3646aee7a64c16edf527c88c417
                                • Instruction Fuzzy Hash: A6724E30B1C91A4BEBA4EB7888B56B977D2EF99304F508579D51EC32C6DE3CE8429740
                                Function 00007FFD34670610 Relevance: 2.0, Strings: 1, Instructions: 764COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 347 7ffd34670610-7ffd34670cdf 355 7ffd34670ce1-7ffd34670ce6 347->355 356 7ffd34670ce8-7ffd34670cec 347->356 357 7ffd34670cef-7ffd34670d09 355->357 356->357 359 7ffd34670d43-7ffd34670d89 357->359 360 7ffd34670d0b-7ffd34670d3d 357->360 367 7ffd34670d3f-7ffd34670d41 360->367 368 7ffd34670d8a-7ffd34670dd0 360->368 367->359 367->360 373 7ffd3467140a-7ffd34671451 368->373 374 7ffd34670dd6-7ffd34670f05 call 7ffd34670538 * 8 call 7ffd34670648 368->374 415 7ffd34670f0f-7ffd34670f77 call 7ffd346704b8 call 7ffd346704b0 call 7ffd34670358 call 7ffd34670368 374->415 416 7ffd34670f07-7ffd34670f0e 374->416 430 7ffd34670f78-7ffd34670f86 415->430 416->415 432 7ffd34670f99-7ffd34670fa9 430->432 433 7ffd34670f88-7ffd34670f92 430->433 436 7ffd34670fd1-7ffd34670ff1 432->436 437 7ffd34670fab-7ffd34670fb6 432->437 433->432 444 7ffd34670ff3-7ffd34670ffd call 7ffd34670378 436->444 445 7ffd34671002-7ffd346710e4 436->445 437->430 439 7ffd34670fb8-7ffd34670fca call 7ffd34670358 437->439 439->436 444->445 459 7ffd34671132-7ffd34671165 445->459 460 7ffd346710e6-7ffd346710fb 445->460 467 7ffd3467118a-7ffd346711ba 459->467 468 7ffd34671167-7ffd34671188 459->468 460->459 469 7ffd346711c2-7ffd346711f9 467->469 468->469 475 7ffd3467121e-7ffd3467124e 469->475 476 7ffd346711fb-7ffd3467121c 469->476 477 7ffd34671256-7ffd34671338 call 7ffd34670388 call 7ffd346705e8 call 7ffd34670788 475->477 476->477 496 7ffd3467133f-7ffd3467134a 477->496 497 7ffd3467133a call 7ffd34670828 477->497 500 7ffd3467135d-7ffd346713ea 496->500 501 7ffd3467134c-7ffd34671356 496->501 497->496 511 7ffd346713f1-7ffd34671409 500->511 501->500
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.3370304242.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd34670000_x.jbxd
                                Similarity
                                • API ID:
                                • String ID: CAN_^
                                • API String ID: 0-3098826533
                                • Opcode ID: 33db3566496b80518fc28a20c8ab2958dc7bf9798383c65955d927835bc552a6
                                • Instruction ID: a57d6e15c096cde85fbe91e80c349ce67045d6d69fb65cc59caa6d7a138910b3
                                • Opcode Fuzzy Hash: 33db3566496b80518fc28a20c8ab2958dc7bf9798383c65955d927835bc552a6
                                • Instruction Fuzzy Hash: 4E32F621B2CA594FE7A4FB7C88B96F97BD1FF99314F44457AE04EC3292DD28A8018741
                                Function 00007FFD34676E61 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 624 7ffd34676e61-7ffd34676f1d CheckRemoteDebuggerPresent 627 7ffd34676f1f 624->627 628 7ffd34676f25-7ffd34676f68 624->628 627->628
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.3370304242.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd34670000_x.jbxd
                                Similarity
                                • API ID: CheckDebuggerPresentRemote
                                • String ID:
                                • API String ID: 3662101638-0
                                • Opcode ID: 4886545f5b800c65da8dc56fcfe9d7e10851594d9fbfa4a356f05016a396b407
                                • Instruction ID: f7d5af94654e59870b680454339343bbdf74560154df5f309cec36558a1df7b3
                                • Opcode Fuzzy Hash: 4886545f5b800c65da8dc56fcfe9d7e10851594d9fbfa4a356f05016a396b407
                                • Instruction Fuzzy Hash: 8531233190875C8FCB19DF98C84A7E97BE0FF66321F0541ABD489D7252DB34A842CB91
                                Function 00007FFD346758B6 Relevance: .5, Instructions: 474COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3370304242.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd34670000_x.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 22ac309cf8773eada0fb94d1e4f21e6b43b707603a0b383baa2c86f1753bc10a
                                • Instruction ID: a17e0a85395b2f60fea7f10a0294a45ff6bbf3cfb1fe44896cca82777baea270
                                • Opcode Fuzzy Hash: 22ac309cf8773eada0fb94d1e4f21e6b43b707603a0b383baa2c86f1753bc10a
                                • Instruction Fuzzy Hash: 7FF1A730608A8D8FEBA8DF28CCA57E97BD1FF55310F04826ED84DC7691DB3899458B81
                                Function 00007FFD34676662 Relevance: .5, Instructions: 460COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3370304242.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd34670000_x.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2c0cf8bdf91618518bc16f8faab919d805b3385b46de439228e8c03fb90ed085
                                • Instruction ID: 2ba71acedc8cfbeefe531bb654d57184b9e2496f4bbffc8db1e5745b606ce82e
                                • Opcode Fuzzy Hash: 2c0cf8bdf91618518bc16f8faab919d805b3385b46de439228e8c03fb90ed085
                                • Instruction Fuzzy Hash: EBE1C930608A4E8FEBA9DF28C8957E97BD1FF55310F14826ED84DC7291DF78A8458781
                                Function 00007FFD34671771 Relevance: .4, Instructions: 396COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3370304242.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd34670000_x.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7eeb111534b53f6101af02337504cf02fb11609759d03c17fd50fa4246a62e21
                                • Instruction ID: fc4056e2658213c94d7bf5fb6f129a684414605c3b60e8e2b83db34bd7412e26
                                • Opcode Fuzzy Hash: 7eeb111534b53f6101af02337504cf02fb11609759d03c17fd50fa4246a62e21
                                • Instruction Fuzzy Hash: BCC1C521B1DA594FEB94EB7888B52F97BD2EF99304F14417BD14EC3392DE2CA8019741
                                Function 00007FFD34678A0D Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 590 7ffd34678a0d-7ffd34678af0 RtlSetProcessIsCritical 594 7ffd34678af2 590->594 595 7ffd34678af8-7ffd34678b2d 590->595 594->595
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.3370304242.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd34670000_x.jbxd
                                Similarity
                                • API ID: CriticalProcess
                                • String ID:
                                • API String ID: 2695349919-0
                                • Opcode ID: 4166b2f929413de07e987449ca86159552bba27f74bd4769ac45e2c16de68178
                                • Instruction ID: 06bd34b716600bcb38dffce2b35dec7980afaececc67c2f8b6a1b7a33a368aff
                                • Opcode Fuzzy Hash: 4166b2f929413de07e987449ca86159552bba27f74bd4769ac45e2c16de68178
                                • Instruction Fuzzy Hash: CF41F33190C7498FD729DFA8C855AE9BBF0FF56311F04416ED08AD3592CB746846CB91
                                Function 00007FFD34678F58 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 597 7ffd34678f58-7ffd34678f5f 598 7ffd34678f61-7ffd34678f69 597->598 599 7ffd34678f6a-7ffd34678fdd 597->599 598->599 603 7ffd34678fe3-7ffd34678ff0 599->603 604 7ffd34679069-7ffd3467906d 599->604 605 7ffd34678ff2-7ffd3467902f SetWindowsHookExW 603->605 604->605 607 7ffd34679031 605->607 608 7ffd34679037-7ffd34679068 605->608 607->608
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.3370304242.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd34670000_x.jbxd
                                Similarity
                                • API ID: HookWindows
                                • String ID:
                                • API String ID: 2559412058-0
                                • Opcode ID: 8456467ad7d9fceed6712b4abc243ef54b04b2e3d949189b525da1b3f0199195
                                • Instruction ID: 710d45cb7e3871ba34f383e2fc8a090beb7f97cf7a9ef0c9beb7f90c95242682
                                • Opcode Fuzzy Hash: 8456467ad7d9fceed6712b4abc243ef54b04b2e3d949189b525da1b3f0199195
                                • Instruction Fuzzy Hash: 4F310B31A1CA5C4FEB18DBAC98566F97BE1EB59321F00427ED049D3292CE75A812C7C1
                                Function 00007FFD346783C0 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 611 7ffd346783c0-7ffd34678fdd 616 7ffd34678fe3-7ffd34678ff0 611->616 617 7ffd34679069-7ffd3467906d 611->617 618 7ffd34678ff2-7ffd3467902f SetWindowsHookExW 616->618 617->618 620 7ffd34679031 618->620 621 7ffd34679037-7ffd34679068 618->621 620->621
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.3370304242.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd34670000_x.jbxd
                                Similarity
                                • API ID: HookWindows
                                • String ID:
                                • API String ID: 2559412058-0
                                • Opcode ID: 0110630a36d98dd3a3a9613fe54180633801f3eb6514db03ffdfb4dd125a3559
                                • Instruction ID: 59fc0e801b52e83dcc269869d8781b00bdfbf998db2b6cf4f3074e1dd2c01e56
                                • Opcode Fuzzy Hash: 0110630a36d98dd3a3a9613fe54180633801f3eb6514db03ffdfb4dd125a3559
                                • Instruction Fuzzy Hash: 3231E631A1CA5C4FEB18EFACD8556F9BBE1EB69311F00417ED049D3292DA74A85287C1

                                Non-executed Functions

                                Function 00007FFD3467E778 Relevance: .2, Instructions: 236COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3370304242.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd34670000_x.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 83a685ef1fd37597d6ea9a9f295c554084b9f87b320808b25843303b3a127f01
                                • Instruction ID: f4da4b61c17048ad169769fd9a0cd05f28c247d704ba1a5531c413420233c361
                                • Opcode Fuzzy Hash: 83a685ef1fd37597d6ea9a9f295c554084b9f87b320808b25843303b3a127f01
                                • Instruction Fuzzy Hash: DF71CA2064F3C44FE3439738D8A86E57FD1AF83325F0D81FAE098CA4A3DA994506C752

                                Executed Functions

                                Function 00007FFD34753FF8 Relevance: .8, Instructions: 779COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.2177828456.00007FFD34750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_7ffd34750000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c7f7efdf052bc79e35a1268a6b4d3117bbdcdde243454399ff1eb36e31ef15ee
                                • Instruction ID: b15e9be5b5275ff08b8af9d4a7286aba70d68bc8ab41dd6ec33ba072b41c6c70
                                • Opcode Fuzzy Hash: c7f7efdf052bc79e35a1268a6b4d3117bbdcdde243454399ff1eb36e31ef15ee
                                • Instruction Fuzzy Hash: D13235A2A0E7C94FE756972958B52A43FE1DF53220B1901FBD18DCB1A3D91CAC07D392
                                Function 00007FFD3468A0D3 Relevance: .2, Instructions: 250COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.2177342601.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_7ffd34680000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8292ec1db658134f8a61f2c4d37d9ddd56f2ee02d00f8296015cf6ebb03ea03f
                                • Instruction ID: 673d4f541b42ae2519c100ec529a9f28683fadda50cdff0544f3db53b804c982
                                • Opcode Fuzzy Hash: 8292ec1db658134f8a61f2c4d37d9ddd56f2ee02d00f8296015cf6ebb03ea03f
                                • Instruction Fuzzy Hash: 74115E3691E7C44FDB539F389C650E43FB0EE67211B0A01EBD988CB0A3D619590DC7A2
                                Function 00007FFD34689758 Relevance: .1, Instructions: 132COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.2177342601.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_7ffd34680000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a566974338a5653de2acb933c486481bff6f112ae3ed73407093bd83b7792156
                                • Instruction ID: 9ab5cd68462ab577655d744d19a3ab9ae790e665353feebc96c7356a37ff6052
                                • Opcode Fuzzy Hash: a566974338a5653de2acb933c486481bff6f112ae3ed73407093bd83b7792156
                                • Instruction Fuzzy Hash: EB310971A1CF489FDB5C9F5CA8466F97BE0FB99310F00422FE449D3252DA24A816CBC2
                                Function 00007FFD3456E380 Relevance: .1, Instructions: 127COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.2176833526.00007FFD3456D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3456D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_7ffd3456d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c24f5ec49a9b8488db6789bbe497e20ce2df22d222eeffc77321f62752c319c4
                                • Instruction ID: 1ce91b4bca1019a60186739ff510e5ddc00f3422d4fe9c72663e024d9cb8f411
                                • Opcode Fuzzy Hash: c24f5ec49a9b8488db6789bbe497e20ce2df22d222eeffc77321f62752c319c4
                                • Instruction Fuzzy Hash: 4641F27190EBC44FE7568B2898959523FB0EF53324B1502EFD48CCB1A7D629B846C792
                                Function 00007FFD3468A62C Relevance: .1, Instructions: 102COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.2177342601.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_7ffd34680000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: aa7aeff101ec2edcd3987004523c31a89a60d2ad7257b3cea31a1846babc48e5
                                • Instruction ID: 8b49631a986af8dbe656e2651bb81c72132034fa5d483708f4613622f7cc90f1
                                • Opcode Fuzzy Hash: aa7aeff101ec2edcd3987004523c31a89a60d2ad7257b3cea31a1846babc48e5
                                • Instruction Fuzzy Hash: 28212830A0CB4C4FEB59DFAC9C8A7E97FE0EB96320F04416BD448C3156DA749856CB92
                                Function 00007FFD347540BF Relevance: .1, Instructions: 98COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.2177828456.00007FFD34750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_7ffd34750000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c86dfa32b94c08f1d6208c6ad8a98bad407b75c6bc3dad689fa655217090a3ad
                                • Instruction ID: c2bbd799e353e4d68f700ca909f03b4549b69be0e5bade8c1d8abf3aa8f63944
                                • Opcode Fuzzy Hash: c86dfa32b94c08f1d6208c6ad8a98bad407b75c6bc3dad689fa655217090a3ad
                                • Instruction Fuzzy Hash: 1D21B4A3B0DA968FE7A5AB1944E127476D2EF66210B5900FAD14DCB192DD1CFC069381
                                Function 00007FFD347543BC Relevance: .1, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.2177828456.00007FFD34750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_7ffd34750000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b498a655824df1a38d19cab2aee8105dcdf7b57436ddc4675bc35c199c901057
                                • Instruction ID: e058a671dd070f730a226f41e057d07076fce1847c81e295196dfd4f49743cfa
                                • Opcode Fuzzy Hash: b498a655824df1a38d19cab2aee8105dcdf7b57436ddc4675bc35c199c901057
                                • Instruction Fuzzy Hash: 6B1102B2F0E6898FE7A4D71984E46B877E1EF4622475900FAD15DDB1A2D92CBC0293C1
                                Function 00007FFD3475681E Relevance: .1, Instructions: 60COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.2177828456.00007FFD34750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_7ffd34750000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c2651779a8b92400a837e54aad3bf3864a8b9a98400a4d6595ecdc9c2ec853f3
                                • Instruction ID: 112d60cecf6e213352f8681eb053e585c270ae98588755c80ac1f3cf059d0a0f
                                • Opcode Fuzzy Hash: c2651779a8b92400a837e54aad3bf3864a8b9a98400a4d6595ecdc9c2ec853f3
                                • Instruction Fuzzy Hash: A91123B2F0D6888FEB61DA5844A41687BE1EF1A214F1840FEC54CCB093D928B846C351
                                Function 00007FFD346833B5 Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.2177342601.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_7ffd34680000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                • Instruction ID: 99ccd9aa28ab21da87489c59e0d9d7a1036f9ae1a88a610e4ac9eb2b15120870
                                • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                • Instruction Fuzzy Hash: 2701677121CB0C4FD744EF0CE451AA5B7E0FB95364F10056DE58AC3651DA36E892CB45
                                Function 00007FFD3468344F Relevance: .0, Instructions: 39COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.2177342601.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_7ffd34680000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 90a50859c9d58e3f77c95b8ba7fee5d9317f6660df9ea396ac8fabcdfb6aaff4
                                • Instruction ID: a3ecd1f7347f0d9cb50bc674cf795c8413e5c170b4baffba79c76cf8ec673dbc
                                • Opcode Fuzzy Hash: 90a50859c9d58e3f77c95b8ba7fee5d9317f6660df9ea396ac8fabcdfb6aaff4
                                • Instruction Fuzzy Hash: 04F0B43120C7094FDB94DF0CE4925A5B3E0EB96330F00052EE68AC7152DA27E883CB42

                                Non-executed Functions

                                Function 00007FFD34688BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.2177342601.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_7ffd34680000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: L_^4$L_^7$L_^F$L_^J
                                • API String ID: 0-3225005683
                                • Opcode ID: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
                                • Instruction ID: 3f7ac82a682a578a4f261a0f346ec01a207f207bf7c156ecb7e514b89dd2c68f
                                • Opcode Fuzzy Hash: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
                                • Instruction Fuzzy Hash: DD21D1B77086255ED2127BFDB8155EF3744CFE427934552B2D2989B053EE14608A8EE0

                                Executed Functions

                                Function 00007FFD34733CA1 Relevance: 1.2, Instructions: 1185COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2276391991.00007FFD34730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34730000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ffd34730000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 55e169ad302a467ba945c9b322044efc901531c015c0a577dbf8fa63607e36e8
                                • Instruction ID: 5c7051ce6c4d087db97792e45450ca77102df299ee76378ba4b5c77f494cc425
                                • Opcode Fuzzy Hash: 55e169ad302a467ba945c9b322044efc901531c015c0a577dbf8fa63607e36e8
                                • Instruction Fuzzy Hash: 9C7209A2B0DB894FE7AA962858B51B43FE1EF57220B1901FBD18DC7193D91DBC0693C1
                                Function 00007FFD3466644D Relevance: .7, Instructions: 728COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2274084233.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ffd34660000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fbcfd87c132d33ad91d24cfde6576369f83f93922a27121d4d87f875589c3d81
                                • Instruction ID: da452e5a3259d90f0823c5035917eb64dae10e8a0f78a99050adc8901932b586
                                • Opcode Fuzzy Hash: fbcfd87c132d33ad91d24cfde6576369f83f93922a27121d4d87f875589c3d81
                                • Instruction Fuzzy Hash: 7ED18F30A08A5D8FDF94DF58D4A5AE9BBE1FF69310F14416AD40DD72A5CA38E881CB81
                                Function 00007FFD346694F2 Relevance: .4, Instructions: 376COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2274084233.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ffd34660000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ab5b8f6b5d9022b16d8af37c63990224cb493cfd2dbea8d9fc3378f252234749
                                • Instruction ID: a4ea67b4c582182f8132b8554ad46b02c011becb83348d4b2970bcbe71380edb
                                • Opcode Fuzzy Hash: ab5b8f6b5d9022b16d8af37c63990224cb493cfd2dbea8d9fc3378f252234749
                                • Instruction Fuzzy Hash: F9C11962A0E7D60FE7169B6858751F9BFA1EF53224F0801BBD5C8CB193DD1C680D8B92
                                Function 00007FFD3454EB80 Relevance: .1, Instructions: 127COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2268136930.00007FFD3454D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3454D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ffd3454d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e277974fd700194e40b40ae6691e4973de8e40293ee5e91af3d6ed41ac672b63
                                • Instruction ID: 526a57c55f01e564c4f393183931a51d92a6ea4a99fed59bcf6d277b98adeadf
                                • Opcode Fuzzy Hash: e277974fd700194e40b40ae6691e4973de8e40293ee5e91af3d6ed41ac672b63
                                • Instruction Fuzzy Hash: 1541257180DBC44FE7578B2898959A23FF0EF57324B1505EFD089CB2A3D629A846C792
                                Function 00007FFD3466A49C Relevance: .1, Instructions: 99COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2274084233.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ffd34660000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f74603be036b7ecb68758c440730d9f8fd4c56979608d1e83fe71173ae314ac8
                                • Instruction ID: 32dc6e91637490e61a47173536895de25f09175dfec8121ec4901c904bb43f2b
                                • Opcode Fuzzy Hash: f74603be036b7ecb68758c440730d9f8fd4c56979608d1e83fe71173ae314ac8
                                • Instruction Fuzzy Hash: A921D731A0C74C4FDB59DFAC9C4A6E97BE0EB96321F04416BD449C3152D674A815CB91
                                Function 00007FFD347340BF Relevance: .1, Instructions: 98COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2276391991.00007FFD34730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34730000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ffd34730000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fca7e450a8d0a235559976c11f9b34c3c80cd4b5b7aaa71d04e105307b817da3
                                • Instruction ID: 17c69ae5fd25da84e5435bf79a58864ff193e46d8fccc8c8d36390c7e9d5fe72
                                • Opcode Fuzzy Hash: fca7e450a8d0a235559976c11f9b34c3c80cd4b5b7aaa71d04e105307b817da3
                                • Instruction Fuzzy Hash: CF21E5A3B0DE968FE7A9DA1844F117476D2EF66210B6900BAD14DC72A2CD1CFC0493C1
                                Function 00007FFD347343BC Relevance: .1, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2276391991.00007FFD34730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34730000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ffd34730000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: faf8dcb6c0a3c7dee1da67aae1d37ee8e3bf3c3c3e65f954993304db0f44d50b
                                • Instruction ID: 67a63a658bd673972437e41487eff9399441337f9cbfecc4730f5719c06c56cc
                                • Opcode Fuzzy Hash: faf8dcb6c0a3c7dee1da67aae1d37ee8e3bf3c3c3e65f954993304db0f44d50b
                                • Instruction Fuzzy Hash: 461102B3F0E6458FE7A8D61884F45B87BE1EF4622476900BAD15DD7192D92DFC0093C1
                                Function 00007FFD3473681E Relevance: .1, Instructions: 60COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2276391991.00007FFD34730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34730000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ffd34730000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 20ce9fa018d66315bfc33af6803a020faab5aa8ba72d56d5245bf8407da35086
                                • Instruction ID: b70e98836ec15a71be86eee3d025bd3f19660d139a01effec950d246a1ac1fa2
                                • Opcode Fuzzy Hash: 20ce9fa018d66315bfc33af6803a020faab5aa8ba72d56d5245bf8407da35086
                                • Instruction Fuzzy Hash: A51106B2B0D6898FEBB1DB5844F45A87BE1EF5A310F2441BFC64DC7093DA28A845C391
                                Function 00007FFD346633B5 Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2274084233.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ffd34660000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                • Instruction ID: a87958a79b51de30136d2a5796adff37845468f6d091c294b1e8deaa73d43299
                                • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                • Instruction Fuzzy Hash: 9501677121CB0C4FD744EF0CE451AA5B7E0FB95364F10056DE58AC3651DA36E892CB45

                                Non-executed Functions

                                Function 00007FFD34668BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.2274084233.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ffd34660000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: N_^8$N_^<$N_^?$N_^J$N_^K$N_^N$N_^Q$N_^Y
                                • API String ID: 0-2388461625
                                • Opcode ID: 0a17b3c452628a29204579af913d24a375679f0f8c5c8a70c7dd2c4491a07189
                                • Instruction ID: 3569d94cc581b9e8d0cd901ce20fbfa7fb27dec4cb956bb45ac74a74776a635a
                                • Opcode Fuzzy Hash: 0a17b3c452628a29204579af913d24a375679f0f8c5c8a70c7dd2c4491a07189
                                • Instruction Fuzzy Hash: 2721D7B3B486254AC31137FCBC615EA6B85DFA437934501F3E258DF553DD18648B8A82

                                Executed Functions

                                Function 00007FFD34753FF8 Relevance: .8, Instructions: 782COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2431869989.00007FFD34750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7ffd34750000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dc4d91c70ab777d42ddbdce4496efdd61b8e38dc4fabe3fb59510cc61f9ea874
                                • Instruction ID: f9903a08d2541df66cf98662d9c7f165ef590837442e57879b3bad4fa41fc20f
                                • Opcode Fuzzy Hash: dc4d91c70ab777d42ddbdce4496efdd61b8e38dc4fabe3fb59510cc61f9ea874
                                • Instruction Fuzzy Hash: 2A32F5A2A0E7C94FE766972958B52A43FE1DF57210B0901FBD18DCB1A3D91CAC07D392
                                Function 00007FFD3468644D Relevance: .7, Instructions: 726COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2431040252.00007FFD34685000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34685000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7ffd34685000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3f703f728bb56f9c0a64972e1c7f1200614cd127dec6c39332ae5029b45c57ae
                                • Instruction ID: c102f14925e203d6490fb9b55f9c2c190b7206a516ed7a6fdbdeb2b7e1ac61ce
                                • Opcode Fuzzy Hash: 3f703f728bb56f9c0a64972e1c7f1200614cd127dec6c39332ae5029b45c57ae
                                • Instruction Fuzzy Hash: C6D16030A08A5D8FDF94DF58C4A5AED7BE1FF69304F14416AD44DD72A6CA38E881CB81
                                Function 00007FFD34689EF3 Relevance: .2, Instructions: 223COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2431040252.00007FFD34685000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34685000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7ffd34685000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c500db3161450e7ffef1d421a303641e5e0386f008c5d0c9ec930b96ab2507c7
                                • Instruction ID: 8ec75f3887d5c41f8132cd6c3d99c07254acbc737c584c1d5c6080f85392395e
                                • Opcode Fuzzy Hash: c500db3161450e7ffef1d421a303641e5e0386f008c5d0c9ec930b96ab2507c7
                                • Instruction Fuzzy Hash: 88711B26A0C6924BD715AF9CD8B60FA3B60EF5332DF0801B2C9C8CF153FE1955598B86
                                Function 00007FFD3468A7EC Relevance: .2, Instructions: 223COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2431040252.00007FFD34685000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34685000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7ffd34685000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1cf8bcbc0cecff45d3a44e4cc26b1f28896e8721abad4a834a9d1c1d26aa7d2d
                                • Instruction ID: da5d4b39ac6d146a78deff6f342ca6d885ba8f8f81e53107760472fbfd157b12
                                • Opcode Fuzzy Hash: 1cf8bcbc0cecff45d3a44e4cc26b1f28896e8721abad4a834a9d1c1d26aa7d2d
                                • Instruction Fuzzy Hash: 1461423160DB854FE34ADF28C8A44B57BE1EF57314B0805BED4C9CB1A3EA19A807C752
                                Function 00007FFD346896FA Relevance: .2, Instructions: 186COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2431040252.00007FFD34685000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34685000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7ffd34685000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c0fbd46388bfda3d1d52b28a79357c52ce42182e593c909436ce1444935aa753
                                • Instruction ID: 23f43ac5375394207493859aae6dc97db9b4417231e46a56d92ca5a3f9587241
                                • Opcode Fuzzy Hash: c0fbd46388bfda3d1d52b28a79357c52ce42182e593c909436ce1444935aa753
                                • Instruction Fuzzy Hash: 5A513B72A0DA954FEB599F1898695F87BE0FF56310F04417FD09DC3192DA28B80A8B82
                                Function 00007FFD3456ED40 Relevance: .1, Instructions: 124COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2430012589.00007FFD3456D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3456D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7ffd3456d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 046adb9a1447268f72d78bdfb5cdd78920b23ed3785dded7ec7acdcd0c685583
                                • Instruction ID: 7eb45e5f58868ad9d7824c04ccf8ebb3f312c2a7b62a0b5447c5ceb7974dd8e1
                                • Opcode Fuzzy Hash: 046adb9a1447268f72d78bdfb5cdd78920b23ed3785dded7ec7acdcd0c685583
                                • Instruction Fuzzy Hash: BA41027190EBC45FE7579B289891A523FF0EF57220B1906DFD088CB1A3D62DA846C792
                                Function 00007FFD3468A47C Relevance: .1, Instructions: 99COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2431040252.00007FFD34685000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34685000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7ffd34685000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ad8ffef784d42ce3f62b8364100811b3c82ed6b66061d8458d9b2d4214eefd64
                                • Instruction ID: 2e796dbeecc5ba1a3f2ee9de733266f0b0872250f0a7e29f6ea286b636514951
                                • Opcode Fuzzy Hash: ad8ffef784d42ce3f62b8364100811b3c82ed6b66061d8458d9b2d4214eefd64
                                • Instruction Fuzzy Hash: D421063190CB4C8FDB59DFAC9C8A6E97BF0EB96320F04416BD448C3152DA749416CB92
                                Function 00007FFD347540BF Relevance: .1, Instructions: 98COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2431869989.00007FFD34750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7ffd34750000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3dab0b32f0ba9f899376170ead5088ecd61077caf65959076d873a407f37c9a0
                                • Instruction ID: eca4e2bc0531603b653224519ece001ccd3c7b3b5d8d2343e5a4e731a184da6f
                                • Opcode Fuzzy Hash: 3dab0b32f0ba9f899376170ead5088ecd61077caf65959076d873a407f37c9a0
                                • Instruction Fuzzy Hash: B221B4A3B0DA9A8FE7A5AB1944E127476D2EF66210B5900FAD14DCB192DD1CFC069381
                                Function 00007FFD347543BC Relevance: .1, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2431869989.00007FFD34750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7ffd34750000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2463751a1fd2c8bf629088fa80761e26a5bd5d8c45020e2e485af668ebd28fa4
                                • Instruction ID: 442bf0a2a62c273fb61f3d7e158367ea7e23fabeb54d17815a3e9dcc5cb64c46
                                • Opcode Fuzzy Hash: 2463751a1fd2c8bf629088fa80761e26a5bd5d8c45020e2e485af668ebd28fa4
                                • Instruction Fuzzy Hash: 211106B2F0E5458FE7A4D71984E46B877E1EF4622474900FAD15DDB1A2D91CBC0293C1
                                Function 00007FFD3475681E Relevance: .1, Instructions: 60COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2431869989.00007FFD34750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7ffd34750000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3bbb24e27d21490a138da5e75c2659c583ad45eb63a752bfc4468ff39523548d
                                • Instruction ID: 94c2c49b68be744825d7d86c0b85cf86d10964a444d135a194e829b25ea752d0
                                • Opcode Fuzzy Hash: 3bbb24e27d21490a138da5e75c2659c583ad45eb63a752bfc4468ff39523548d
                                • Instruction Fuzzy Hash: DD1123B2F0D6888FEB65DA5844A41A87BE1EF1A210F1840FEC54CCB093D928B846C351
                                Function 00007FFD346833B5 Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2431040252.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7ffd34680000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                • Instruction ID: 99ccd9aa28ab21da87489c59e0d9d7a1036f9ae1a88a610e4ac9eb2b15120870
                                • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                • Instruction Fuzzy Hash: 2701677121CB0C4FD744EF0CE451AA5B7E0FB95364F10056DE58AC3651DA36E892CB45

                                Non-executed Functions

                                Function 00007FFD34688995 Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2431040252.00007FFD34685000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34685000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7ffd34685000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: L_^$L_^$L_^$L_^
                                • API String ID: 0-2357752022
                                • Opcode ID: 828df2a0e07f041bc2401469c262c63953d9055165ae1251d657275e8d35945f
                                • Instruction ID: a9ae0846fb83ed0504ff147f8962d3dddde66f4d70e85b8e8440e5615833ff21
                                • Opcode Fuzzy Hash: 828df2a0e07f041bc2401469c262c63953d9055165ae1251d657275e8d35945f
                                • Instruction Fuzzy Hash: 6541B4A3A0E6D25FE3578B2988A50D97FA1EF53354B0911F7C288CF1D3EA2D540A9352
                                Function 00007FFD34688BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2431040252.00007FFD34685000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34685000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7ffd34685000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: L_^4$L_^7$L_^F$L_^J
                                • API String ID: 0-3225005683
                                • Opcode ID: db0c1d812fb334ef627ac546dd3fad6e1f4be7f409516e181b75d3ed5e758025
                                • Instruction ID: 3f7ac82a682a578a4f261a0f346ec01a207f207bf7c156ecb7e514b89dd2c68f
                                • Opcode Fuzzy Hash: db0c1d812fb334ef627ac546dd3fad6e1f4be7f409516e181b75d3ed5e758025
                                • Instruction Fuzzy Hash: DD21D1B77086255ED2127BFDB8155EF3744CFE427934552B2D2989B053EE14608A8EE0

                                Executed Functions

                                Function 00007FFD34679574 Relevance: .3, Instructions: 325COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2630426855.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_7ffd34670000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3de32e3d43233f5401539bf6e270b0e7959dbc6219c8a4684c40761b4cf49499
                                • Instruction ID: 1ace32a4f1c11a3696bb7dacb11e16b7f39c6e2327c486727f6b7400680ec393
                                • Opcode Fuzzy Hash: 3de32e3d43233f5401539bf6e270b0e7959dbc6219c8a4684c40761b4cf49499
                                • Instruction Fuzzy Hash: 2BB11762A0E7D54FF7069F685CB51E97FE0EF53214F0841BBD188DB193ED18A8098B92
                                Function 00007FFD3467A525 Relevance: .1, Instructions: 97COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2630426855.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_7ffd34670000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ff867fb1c8ff434accb9db00e5898ba75dff920824f5bec5cc373de1dbd7b366
                                • Instruction ID: 74a7ac42ba4cc05c30f85f6a700b4c593853e12e321ced8fbe8e3b05519382d1
                                • Opcode Fuzzy Hash: ff867fb1c8ff434accb9db00e5898ba75dff920824f5bec5cc373de1dbd7b366
                                • Instruction Fuzzy Hash: D021E43190CA4C4FDB59DF989C4A6EA7BF0EB96320F04816FD448C7152DA75680ACB91
                                Function 00007FFD3474681E Relevance: .1, Instructions: 60COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2631786854.00007FFD34740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34740000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_7ffd34740000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0305b338d0b45b5da2a6a5bab8b7064196aea890185b2581fad77eb896e34f02
                                • Instruction ID: e2c5c3845b604418ca08a7e703fbc90fc3f948f707875ba2fb67caa80726486a
                                • Opcode Fuzzy Hash: 0305b338d0b45b5da2a6a5bab8b7064196aea890185b2581fad77eb896e34f02
                                • Instruction Fuzzy Hash: A31106B2B0D6898FEB61DB5844A45787BE1EF56320F1441BFC54DC7193E92CA845C351
                                Function 00007FFD3455EDE0 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2628987986.00007FFD3455D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3455D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_7ffd3455d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0994c5c2b2f9c951731e712c76c1bc68a4219255782b27cdcd994c22c64e6d19
                                • Instruction ID: 116c4046c36372ad7a3ec8b14fb6bc23f66620b576e2b7b9c5f95225d12e3956
                                • Opcode Fuzzy Hash: 0994c5c2b2f9c951731e712c76c1bc68a4219255782b27cdcd994c22c64e6d19
                                • Instruction Fuzzy Hash: D6014B3265CE088F9AA4EF1EE48595237E1FB98320710069AD41EC765AD735F892CBC1
                                Function 00007FFD346733B5 Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2630426855.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_7ffd34670000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                • Instruction ID: fbdbe5f7fa31bdb5b4d96766301e1fa8c3ecf2e6deba8f06807b4dcd50cf955b
                                • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                • Instruction Fuzzy Hash: 5401677121CB0C4FD754EF0CE451AA5B7E0FB95364F10056DE58AC3691DA36E892CB45
                                Function 00007FFD3467A0FB Relevance: .0, Instructions: 39COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2630426855.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_7ffd34670000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dd89a25fb9f24a311b48907d1fb91524eb6bcbb56b38fa147697330258f36134
                                • Instruction ID: d2b4031753f9067fb4c1e1a2136ca66ded9707cd2351384aa58651e7d13be358
                                • Opcode Fuzzy Hash: dd89a25fb9f24a311b48907d1fb91524eb6bcbb56b38fa147697330258f36134
                                • Instruction Fuzzy Hash: 92F0F63AA19A8C4FDB45DF2CDC640E57FA0FF66205B0502ABDA48C7121D7219918C7C1
                                Function 00007FFD3474414D Relevance: .0, Instructions: 37COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2631786854.00007FFD34740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34740000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_7ffd34740000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 852c838b02524532984494c60eb89d025f696563fd5a3d8eab9e85ccc2abc819
                                • Instruction ID: e5ac8532fdded43c93bc17dbc437bab694f82a13b311043bcbda9c49b1e44f9a
                                • Opcode Fuzzy Hash: 852c838b02524532984494c60eb89d025f696563fd5a3d8eab9e85ccc2abc819
                                • Instruction Fuzzy Hash: 6EF0BE32B0C9048FE768EA4CE4918A873E0EF5632071140BAE25DC7263DA29FC41D781
                                Function 00007FFD34744400 Relevance: .0, Instructions: 35COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2631786854.00007FFD34740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34740000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_7ffd34740000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2a0df6cfb58eb20c373688fd698f0682003902b02065e938194655fe6fdaf3e1
                                • Instruction ID: 8e39e3d12917dab292c66da261aaf6362922a527257280122d650ac9b34fd357
                                • Opcode Fuzzy Hash: 2a0df6cfb58eb20c373688fd698f0682003902b02065e938194655fe6fdaf3e1
                                • Instruction Fuzzy Hash: E5F0E272B0C5448FE754EB4CE4958A877E0FF0632471100B6E24DC7563DA29FC41D790
                                Function 00007FFD347441D1 Relevance: .0, Instructions: 29COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2631786854.00007FFD34740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34740000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_7ffd34740000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                • Instruction ID: c5c6ccc01a5f6d8683eca657f12dca59f7cde2904c87e77d8ce40c65b7885b61
                                • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                • Instruction Fuzzy Hash: 9CE01A31B0C818DFDA68DA0CE0909B973E1EB9932171101B7D24EC7661CA26FC51ABC0

                                Non-executed Functions

                                Function 00007FFD34678BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2630426855.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_7ffd34670000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                • API String ID: 0-962139525
                                • Opcode ID: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
                                • Instruction ID: 63a27c781ad16cb0fc41bd593fb21417af943524bfce8bba7e9518b266ebdb7f
                                • Opcode Fuzzy Hash: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
                                • Instruction Fuzzy Hash: 2521D7737486258AD21136EDB8519EE7784DFA437938603F3E168DF153ED18648B8A81