Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
x.exe

Overview

General Information

Sample name:x.exe
Analysis ID:1473983
MD5:eacd19fe747d17c6740b0a8a50de29ac
SHA1:4f47aa2b91b52caa981197d9bed3435422d48d80
SHA256:9208a02c664094fa2633d6834c10c680fb24e1e900d449814dbbd1c48718f4ba
Tags:exexworm
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • x.exe (PID: 1988 cmdline: "C:\Users\user\Desktop\x.exe" MD5: EACD19FE747D17C6740B0A8A50DE29AC)
    • powershell.exe (PID: 3440 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2860 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 320 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\java Update Checker (64 bit).exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5952 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java Update Checker (64 bit).exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["89.213.177.93"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
x.exeJoeSecurity_XWormYara detected XWormJoe Security
    x.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x8509:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x85a6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x86bb:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x81b7:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\java Update Checker (64 bit).exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\ProgramData\java Update Checker (64 bit).exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x8509:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x85a6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x86bb:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x81b7:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.2011714539.00000000000A2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000000.2011714539.00000000000A2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x8309:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x83a6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x84bb:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x7fb7:$cnc4: POST / HTTP/1.1
        00000000.00000002.3273623314.0000000002371000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          Process Memory Space: x.exe PID: 1988JoeSecurity_XWormYara detected XWormJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.x.exe.a0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
              0.0.x.exe.a0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x8509:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x85a6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x86bb:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x81b7:$cnc4: POST / HTTP/1.1

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\x.exe", ParentImage: C:\Users\user\Desktop\x.exe, ParentProcessId: 1988, ParentProcessName: x.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe', ProcessId: 3440, ProcessName: powershell.exe
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\x.exe", ParentImage: C:\Users\user\Desktop\x.exe, ParentProcessId: 1988, ParentProcessName: x.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe', ProcessId: 3440, ProcessName: powershell.exe
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\x.exe", ParentImage: C:\Users\user\Desktop\x.exe, ParentProcessId: 1988, ParentProcessName: x.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe', ProcessId: 3440, ProcessName: powershell.exe
              Sigma detected: Startup Folder File Write
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\x.exe, ProcessId: 1988, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\java Update Checker (64 bit).lnk
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\x.exe", ParentImage: C:\Users\user\Desktop\x.exe, ParentProcessId: 1988, ParentProcessName: x.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe', ProcessId: 3440, ProcessName: powershell.exe

              Snort Signatures

              Timestamp:07/16/24-06:29:02.846422
              SID:2852870
              Source Port:7000
              Destination Port:49713
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/16/24-06:28:11.623836
              SID:2855924
              Source Port:49713
              Destination Port:7000
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/16/24-06:29:02.847787
              SID:2852923
              Source Port:49713
              Destination Port:7000
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/16/24-06:28:52.574098
              SID:2852874
              Source Port:7000
              Destination Port:49713
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: x.exeAvira: detected
              Antivirus detection for dropped file
              Source: C:\ProgramData\java Update Checker (64 bit).exeAvira: detection malicious, Label: TR/Spy.Gen
              Found malware configuration
              Source: x.exeMalware Configuration Extractor: Xworm {"C2 url": ["89.213.177.93"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
              Multi AV Scanner detection for dropped file
              Source: C:\ProgramData\java Update Checker (64 bit).exeReversingLabs: Detection: 84%
              Source: C:\ProgramData\java Update Checker (64 bit).exeVirustotal: Detection: 66%Perma Link
              Multi AV Scanner detection for submitted file
              Source: x.exeReversingLabs: Detection: 84%
              Source: x.exeVirustotal: Detection: 66%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\ProgramData\java Update Checker (64 bit).exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: x.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: x.exeString decryptor: 89.213.177.93
              Source: x.exeString decryptor: 7000
              Source: x.exeString decryptor: <123456789>
              Source: x.exeString decryptor: <Xwormmm>
              Source: x.exeString decryptor: X
              Source: x.exeString decryptor: USB.exe
              Source: x.exeString decryptor: %ProgramData%
              Source: x.exeString decryptor: java Update Checker (64 bit).exe
              Source: x.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: x.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 89.213.177.93:7000 -> 192.168.2.5:49713
              Source: TrafficSnort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.5:49713 -> 89.213.177.93:7000
              Source: TrafficSnort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.5:49713 -> 89.213.177.93:7000
              Source: TrafficSnort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 89.213.177.93:7000 -> 192.168.2.5:49713
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 89.213.177.93
              Source: global trafficTCP traffic: 192.168.2.5:49713 -> 89.213.177.93:7000
              Source: Joe Sandbox ViewASN Name: EDGEtaGCIComGB EDGEtaGCIComGB
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: unknownTCP traffic detected without corresponding DNS query: 89.213.177.93
              Source: powershell.exe, 0000000A.00000002.2609357941.000001B92DEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
              Source: powershell.exe, 00000002.00000002.2124699350.0000019F5F24D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2224066398.0000026FD8FCD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2380837711.00000261168DD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2575421609.000001B9258DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 0000000A.00000002.2439915159.000001B915A99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.2106255250.0000019F4F409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2165229937.0000026FC9189000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2283633035.0000026106A99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2439915159.000001B915A99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: x.exe, 00000000.00000002.3273623314.0000000002371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2106255250.0000019F4F1E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2165229937.0000026FC8F61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2283633035.0000026106871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2439915159.000001B915871000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000002.00000002.2106255250.0000019F4F409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2165229937.0000026FC9189000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2283633035.0000026106A99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2439915159.000001B915A99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: powershell.exe, 00000002.00000002.2133115428.0000019F67830000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.o
              Source: powershell.exe, 0000000A.00000002.2439915159.000001B915A99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000002.00000002.2106255250.0000019F4F1E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2165229937.0000026FC8F61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2283633035.0000026106871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2439915159.000001B915871000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 0000000A.00000002.2575421609.000001B9258DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 0000000A.00000002.2575421609.000001B9258DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 0000000A.00000002.2575421609.000001B9258DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 0000000A.00000002.2439915159.000001B915A99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000008.00000002.2401741255.000002611EF1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.5N
              Source: powershell.exe, 00000002.00000002.2124699350.0000019F5F24D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2224066398.0000026FD8FCD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2380837711.00000261168DD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2575421609.000001B9258DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 0000000A.00000002.2606444376.000001B92DE07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ources.t

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to log keystrokes (.Net Source)
              Source: x.exe, XLogger.cs.Net Code: KeyboardLayout
              Source: java Update Checker (64 bit).exe.0.dr, XLogger.cs.Net Code: KeyboardLayout

              Operating System Destruction

              barindex
              Protects its processes via BreakOnTermination flag
              Source: C:\Users\user\Desktop\x.exeProcess information set: 01 00 00 00 Jump to behavior

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: x.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.0.x.exe.a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000000.2011714539.00000000000A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\ProgramData\java Update Checker (64 bit).exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Users\user\Desktop\x.exeCode function: 0_2_00007FF848F105B00_2_00007FF848F105B0
              Source: C:\Users\user\Desktop\x.exeCode function: 0_2_00007FF848F188C20_2_00007FF848F188C2
              Source: C:\Users\user\Desktop\x.exeCode function: 0_2_00007FF848F17B160_2_00007FF848F17B16
              Source: C:\Users\user\Desktop\x.exeCode function: 0_2_00007FF848F1CF6C0_2_00007FF848F1CF6C
              Source: C:\Users\user\Desktop\x.exeCode function: 0_2_00007FF848F132980_2_00007FF848F13298
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848FE2E112_2_00007FF848FE2E11
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848FD30E95_2_00007FF848FD30E9
              Source: x.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: x.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.0.x.exe.a0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000000.2011714539.00000000000A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: C:\ProgramData\java Update Checker (64 bit).exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: x.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: x.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: x.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: java Update Checker (64 bit).exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: java Update Checker (64 bit).exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: java Update Checker (64 bit).exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: x.exe, Settings.csBase64 encoded string: 'yS/9EbZKZ3CiByK9Gn/Yv2BQWx0T/ejJODxYNC4qCkblZmPi2kzR0tAiuIQtAP8F'
              Source: java Update Checker (64 bit).exe.0.dr, Settings.csBase64 encoded string: 'yS/9EbZKZ3CiByK9Gn/Yv2BQWx0T/ejJODxYNC4qCkblZmPi2kzR0tAiuIQtAP8F'
              Source: java Update Checker (64 bit).exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: java Update Checker (64 bit).exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: x.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: x.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@13/20@0/1
              Source: C:\Users\user\Desktop\x.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\java Update Checker (64 bit).lnkJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4460:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1848:120:WilError_03
              Source: C:\Users\user\Desktop\x.exeMutant created: \Sessions\1\BaseNamedObjects\EkAlUwMmr2kBi3Vs
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2676:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4824:120:WilError_03
              Source: C:\Users\user\Desktop\x.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
              Source: x.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: x.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\x.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\x.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: x.exeReversingLabs: Detection: 84%
              Source: x.exeVirustotal: Detection: 66%
              Source: C:\Users\user\Desktop\x.exeFile read: C:\Users\user\Desktop\x.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\x.exe "C:\Users\user\Desktop\x.exe"
              Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\java Update Checker (64 bit).exe'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java Update Checker (64 bit).exe'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe'Jump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'Jump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\java Update Checker (64 bit).exe'Jump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java Update Checker (64 bit).exe'Jump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
              Source: java Update Checker (64 bit).lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\ProgramData\java Update Checker (64 bit).exe
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: x.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: x.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: x.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: x.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: x.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              Source: java Update Checker (64 bit).exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: java Update Checker (64 bit).exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: java Update Checker (64 bit).exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              .NET source code contains potential unpacker
              Source: x.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: x.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: x.exe, Messages.cs.Net Code: Memory
              Source: java Update Checker (64 bit).exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: java Update Checker (64 bit).exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: java Update Checker (64 bit).exe.0.dr, Messages.cs.Net Code: Memory
              Source: C:\Users\user\Desktop\x.exeCode function: 0_2_00007FF848F100BD pushad ; iretd 0_2_00007FF848F100C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848DFD2A5 pushad ; iretd 2_2_00007FF848DFD2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F100BD pushad ; iretd 2_2_00007FF848F100C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848FE2470 push eax; retf 2_2_00007FF848FE2471
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848FE2316 push 8B485F94h; iretd 2_2_00007FF848FE231B
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848DED2A5 pushad ; iretd 5_2_00007FF848DED2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848F000BD pushad ; iretd 5_2_00007FF848F000C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848FD2316 push 8B485F95h; iretd 5_2_00007FF848FD231B
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848FD5DC0 pushad ; ret 5_2_00007FF848FD5DC1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848E2D2A5 pushad ; iretd 8_2_00007FF848E2D2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848F40028 pushad ; ret 8_2_00007FF848F40029
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848F400BD pushad ; iretd 8_2_00007FF848F400C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF849017CED push esi; iretd 8_2_00007FF849017D72
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF849012316 push 8B485F91h; iretd 8_2_00007FF84901231B
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF848E0D2A5 pushad ; iretd 10_2_00007FF848E0D2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF848F200BD pushad ; iretd 10_2_00007FF848F200C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF848FF2316 push 8B485F93h; iretd 10_2_00007FF848FF231B
              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\java Update Checker (64 bit).exeJump to dropped file
              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\java Update Checker (64 bit).exeJump to dropped file
              Source: C:\Users\user\Desktop\x.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\java Update Checker (64 bit).lnkJump to behavior
              Source: C:\Users\user\Desktop\x.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\java Update Checker (64 bit).lnkJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\x.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\x.exeMemory allocated: 8E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\x.exeMemory allocated: 1A370000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\x.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\x.exeWindow / User API: threadDelayed 3430Jump to behavior
              Source: C:\Users\user\Desktop\x.exeWindow / User API: threadDelayed 6402Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5023Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4859Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6127Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3552Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7843Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1726Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6650Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3012Jump to behavior
              Source: C:\Users\user\Desktop\x.exe TID: 5712Thread sleep time: -13835058055282155s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4124Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5272Thread sleep count: 6127 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7032Thread sleep count: 3552 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5276Thread sleep time: -6456360425798339s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3292Thread sleep time: -5534023222112862s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2472Thread sleep count: 6650 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2472Thread sleep count: 3012 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6484Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\x.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: x.exe, 00000000.00000002.3282664772.000000001B140000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Users\user\Desktop\x.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\x.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe'
              Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\java Update Checker (64 bit).exe'
              Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe'Jump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\java Update Checker (64 bit).exe'Jump to behavior
              Bypasses PowerShell execution policy
              Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe'
              Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe'Jump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'Jump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\java Update Checker (64 bit).exe'Jump to behavior
              Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java Update Checker (64 bit).exe'Jump to behavior
              Source: x.exe, 00000000.00000002.3273623314.000000000241D000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000000.00000002.3273623314.0000000002402000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
              Source: x.exe, 00000000.00000002.3273623314.000000000241D000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000000.00000002.3273623314.0000000002402000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: x.exe, 00000000.00000002.3273623314.000000000241D000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000000.00000002.3273623314.0000000002402000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
              Source: x.exe, 00000000.00000002.3273623314.000000000241D000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000000.00000002.3273623314.0000000002402000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
              Source: x.exe, 00000000.00000002.3273623314.000000000241D000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000000.00000002.3273623314.0000000002402000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2!
              Source: C:\Users\user\Desktop\x.exeQueries volume information: C:\Users\user\Desktop\x.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\x.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: x.exe, 00000000.00000002.3285308974.000000001B1BC000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000000.00000002.3282664772.000000001B181000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\x.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: x.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.x.exe.a0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.2011714539.00000000000A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.3273623314.0000000002371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: x.exe PID: 1988, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\java Update Checker (64 bit).exe, type: DROPPED

              Remote Access Functionality

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: x.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.x.exe.a0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.2011714539.00000000000A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.3273623314.0000000002371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: x.exe PID: 1988, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\java Update Checker (64 bit).exe, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
              Windows Management Instrumentation              		2
              Registry Run Keys / Startup Folder              		12
              Process Injection              		1
              Masquerading              		1
              Input Capture              		221
              Security Software Discovery              		Remote Services1
              Input Capture              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell              		1
              DLL Side-Loading              		2
              Registry Run Keys / Startup Folder              		11
              Disable or Modify Tools              		LSASS Memory2
              Process Discovery              		Remote Desktop Protocol11
              Archive Collected Data              		1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              DLL Side-Loading              		131
              Virtualization/Sandbox Evasion              		Security Account Manager131
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
              Obfuscated Files or Information              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
              Software Packing              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1473983 Sample: x.exe Startdate: 16/07/2024 Architecture: WINDOWS Score: 100 33 Snort IDS alert for network traffic 2->33 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 14 other signatures 2->39 7 x.exe 6 2->7         started        process3 dnsIp4 31 89.213.177.93, 49713, 7000 EDGEtaGCIComGB United Kingdom 7->31 29 C:\...\java Update Checker (64 bit).exe, PE32 7->29 dropped 41 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->41 43 Protects its processes via BreakOnTermination flag 7->43 45 Bypasses PowerShell execution policy 7->45 47 Adds a directory exclusion to Windows Defender 7->47 12 powershell.exe 23 7->12         started        15 powershell.exe 23 7->15         started        17 powershell.exe 23 7->17         started        19 powershell.exe 23 7->19         started        file5 signatures6 process7 signatures8 49 Loading BitLocker PowerShell Module 12->49 21 conhost.exe 12->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        process9

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              x.exe84%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT
              x.exe66%VirustotalBrowse
              x.exe100%AviraTR/Spy.Gen
              x.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\ProgramData\java Update Checker (64 bit).exe100%AviraTR/Spy.Gen
              C:\ProgramData\java Update Checker (64 bit).exe100%Joe Sandbox ML
              C:\ProgramData\java Update Checker (64 bit).exe84%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT
              C:\ProgramData\java Update Checker (64 bit).exe66%VirustotalBrowse

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
              http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
              http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
              http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              89.213.177.930%Avira URL Cloudsafe
              https://ources.t0%Avira URL Cloudsafe
              http://www.apache.o0%Avira URL Cloudsafe
              https://ion=v4.5N0%Avira URL Cloudsafe
              https://github.com/Pester/Pester0%Avira URL Cloudsafe
              http://crl.micros0%Avira URL Cloudsafe
              http://www.apache.o0%VirustotalBrowse
              https://github.com/Pester/Pester1%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              89.213.177.93true
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2124699350.0000019F5F24D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2224066398.0000026FD8FCD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2380837711.00000261168DD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2575421609.000001B9258DC000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000A.00000002.2439915159.000001B915A99000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2106255250.0000019F4F409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2165229937.0000026FC9189000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2283633035.0000026106A99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2439915159.000001B915A99000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000A.00000002.2439915159.000001B915A99000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://ources.tpowershell.exe, 0000000A.00000002.2606444376.000001B92DE07000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2106255250.0000019F4F409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2165229937.0000026FC9189000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2283633035.0000026106A99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2439915159.000001B915A99000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://contoso.com/powershell.exe, 0000000A.00000002.2575421609.000001B9258DC000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2124699350.0000019F5F24D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2224066398.0000026FD8FCD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2380837711.00000261168DD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2575421609.000001B9258DC000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://contoso.com/Licensepowershell.exe, 0000000A.00000002.2575421609.000001B9258DC000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://contoso.com/Iconpowershell.exe, 0000000A.00000002.2575421609.000001B9258DC000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://aka.ms/pscore68powershell.exe, 00000002.00000002.2106255250.0000019F4F1E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2165229937.0000026FC8F61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2283633035.0000026106871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2439915159.000001B915871000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://ion=v4.5Npowershell.exe, 00000008.00000002.2401741255.000002611EF1A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.apache.opowershell.exe, 00000002.00000002.2133115428.0000019F67830000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namex.exe, 00000000.00000002.3273623314.0000000002371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2106255250.0000019F4F1E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2165229937.0000026FC8F61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2283633035.0000026106871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2439915159.000001B915871000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://github.com/Pester/Pesterpowershell.exe, 0000000A.00000002.2439915159.000001B915A99000.00000004.00000800.00020000.00000000.sdmpfalse
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://crl.microspowershell.exe, 0000000A.00000002.2609357941.000001B92DEC0000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              89.213.177.93
              		unknownUnited Kingdom
              		8851EDGEtaGCIComGBtrue

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1473983
              Start date and time:2024-07-16 06:26:05 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 6m 3s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:14
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:x.exe
              Detection:MAL
              Classification:mal100.troj.spyw.evad.winEXE@13/20@0/1
              EGA Information:
              • Successful, ratio: 20%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 44
              • Number of non-executed functions: 4
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target powershell.exe, PID 2860 because it is empty
              • Execution Graph export aborted for target powershell.exe, PID 320 because it is empty
              • Execution Graph export aborted for target powershell.exe, PID 3440 because it is empty
              • Execution Graph export aborted for target powershell.exe, PID 5952 because it is empty
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtCreateKey calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              00:27:01API Interceptor55x Sleep call for process: powershell.exe modified
              00:28:04API Interceptor213x Sleep call for process: x.exe modified
              06:28:01AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\java Update Checker (64 bit).lnk

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              EDGEtaGCIComGBx.exeGet hashmaliciousAsyncRAT, XWormBrowse
              • 89.213.177.100
              botx.arm6.elfGet hashmaliciousMiraiBrowse
              • 212.38.80.100
              Setup.exeGet hashmaliciousAsyncRAT, HTMLPhisher, Clipboard Hijacker, Phorpiex, PureLog Stealer, Raccoon Stealer v2, RedLineBrowse
              • 89.213.177.81
              lkHUYpJ8S7.exeGet hashmaliciousNjratBrowse
              • 89.213.177.81
              sevchost.exeGet hashmaliciousXWormBrowse
              • 89.213.177.81
              test.exeGet hashmaliciousXWormBrowse
              • 89.213.177.81
              XClient.exeGet hashmaliciousXWormBrowse
              • 89.213.177.81
              ServerManager.exeGet hashmaliciousXWormBrowse
              • 89.213.177.81
              MicrosoftService.exeGet hashmaliciousXWormBrowse
              • 89.213.177.81
              f6RyWmGZLw.elfGet hashmaliciousUnknownBrowse
              • 217.144.153.241

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\ProgramData\java Update Checker (64 bit).exe

              Download File
              Process:C:\Users\user\Desktop\x.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):43008
              Entropy (8bit):5.637719955890353
              Encrypted:false
              SSDEEP:768:PuTA4z0hZZH6wCWSctKuuuElZPUmfFWPC9v66dOMh+adnMC:PuTC9P3TtKuuPjTFJ9v66dOM4AnMC
              MD5:EACD19FE747D17C6740B0A8A50DE29AC
              SHA1:4F47AA2B91B52CAA981197D9BED3435422D48D80
              SHA-256:9208A02C664094FA2633D6834C10C680FB24E1E900D449814DBBD1C48718F4BA
              SHA-512:AA38DFDB487F283AB3FE0E106C49F3C8A5D7AE3FFDB333F69B5E8659D22555C165D77404D5DC19A476034106E5BA69B4559BFC3CD28C0FDF9851FE4C7F9E40D3
              Malicious:true
              Yara Hits:
              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\java Update Checker (64 bit).exe, Author: Joe Security
              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\java Update Checker (64 bit).exe, Author: ditekSHen
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 84%
              • Antivirus: Virustotal, Detection: 66%, Browse
              Reputation:low
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M.f............................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H.......(Z...V............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:data
              Category:modified
              Size (bytes):64
              Entropy (8bit):0.34726597513537405
              Encrypted:false
              SSDEEP:3:Nlll:Nll
              MD5:446DD1CF97EABA21CF14D03AEBC79F27
              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
              Malicious:false
              Reputation:high, very likely benign file
              Preview:@...e...........................................................

              C:\Users\user\AppData\Local\Temp\Log.tmp

              Download File
              Process:C:\Users\user\Desktop\x.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):29
              Entropy (8bit):3.598349098128234
              Encrypted:false
              SSDEEP:3:rRSFYJKXzovNsra:EFYJKDoWra
              MD5:2C11513C4FAB02AEDEE23EC05A2EB3CC
              SHA1:59177C177B2546FBD8EC7688BAD19D08D32640DE
              SHA-256:BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
              SHA-512:08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview:....### explorer ###..[WIN]r

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ueo4ffq.vn4.ps1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2jpil5ea.rx2.ps1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3jww55mt.40y.psm1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4jtzfcb1.gns.psm1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4q2cf3tq.c4o.psm1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bbysypb1.rq5.ps1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dwd4phg5.oa0.psm1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hnwlydii.k40.psm1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_knzj5j05.vrt.psm1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_po5w1lqy.ovr.ps1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_puncpt5y.knu.ps1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q54gqb1g.vnc.ps1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r1tvd2sx.gv1.ps1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tdtco2fd.nva.psm1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u3doyls5.mqk.psm1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wisemfew.4m4.ps1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\java Update Checker (64 bit).lnk

              Download File
              Process:C:\Users\user\Desktop\x.exe
              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Jul 16 03:27:56 2024, mtime=Tue Jul 16 03:27:56 2024, atime=Tue Jul 16 03:27:56 2024, length=43008, window=hide
              Category:dropped
              Size (bytes):770
              Entropy (8bit):4.654274155817469
              Encrypted:false
              SSDEEP:12:8WUfCA0cOhRP2ef/52jDujASjhReCHGbFWjDchFmV:8Zjer29jeAuCFWjyFm
              MD5:033BD47B9CAE91BC8BA934BF93311BD4
              SHA1:B84293AEB667A09E263AC910B69DE0C7EDDC54A8
              SHA-256:A3B8EB78C3C37B8154E7E13FC9AD5898F8B33353AD4FE913FEC5DCFE30B1BAE9
              SHA-512:22356A81CA9078FD52B3C38B9E98D6538EA849228BCFE473D7659A5B5758E69CB050F95A2F2BBE50624245EDCA9CB4122675C41F12D10661352A0BD775DEBCE2
              Malicious:false
              Preview:L..................F.... ..J.h.8...J.h.8...J.h.8................................P.O. .:i.....+00.../C:\...................`.1......XX#. PROGRA~3..H......O.I.XX#....g.....................?l..P.r.o.g.r.a.m.D.a.t.a.......2......X}# JAVAUP~1.EXE..r.......X}#.X}#....[.........................j.a.v.a. .U.p.d.a.t.e. .C.h.e.c.k.e.r. .(.6.4. .b.i.t.)...e.x.e.......^...............-.......]............3./.....C:\ProgramData\java Update Checker (64 bit).exe..G.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.j.a.v.a. .U.p.d.a.t.e. .C.h.e.c.k.e.r. .(.6.4. .b.i.t.)...e.x.e.`.......X.......715575...........hT..CrF.f4... ....+C...,...W..hT..CrF.f4... ....+C...,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Entropy (8bit):5.637719955890353
              TrID:
              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              • Win32 Executable (generic) a (10002005/4) 49.75%
              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
              • Windows Screen Saver (13104/52) 0.07%
              • Generic Win/DOS Executable (2004/3) 0.01%
              File name:x.exe
              File size:43'008 bytes
              MD5:eacd19fe747d17c6740b0a8a50de29ac
              SHA1:4f47aa2b91b52caa981197d9bed3435422d48d80
              SHA256:9208a02c664094fa2633d6834c10c680fb24e1e900d449814dbbd1c48718f4ba
              SHA512:aa38dfdb487f283ab3fe0e106c49f3c8a5d7ae3ffdb333f69b5e8659d22555c165d77404d5dc19a476034106e5ba69b4559bfc3cd28c0fdf9851fe4c7f9e40d3
              SSDEEP:768:PuTA4z0hZZH6wCWSctKuuuElZPUmfFWPC9v66dOMh+adnMC:PuTC9P3TtKuuPjTFJ9v66dOM4AnMC
              TLSH:BC136C883B944216D5FE7FFA1AB3A2060734FA03A913DB5E4CD89D9A3B3778449417D2
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M.f............................>.... ........@.. ....................................@................................

              File Icon

              Icon Hash:4df4f2f2d0d8f845

              Static PE Info

              General

              Entrypoint:0x40b13e
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Time Stamp:0x66914DE8 [Fri Jul 12 15:38:16 2024 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

              Entrypoint Preview

              Instruction
              jmp dword ptr [00402000h]
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0xb0ec0x4f.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x10d0.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000x91440x920062eb2b1237b8b5496b5b4cbabea2d3f3False0.4926690924657534data5.706377296256697IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rsrc0xc0000x10d00x120011ba8674c1d7ee6865eae831441bb8a4False0.3767361111111111data4.928187442039532IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0xe0000xc0x200eab4cf7bc8c3782762e983d20cf3e10dFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_ICON0xc1900x128Device independent bitmap graphic, 16 x 32 x 4, image size 00.46959459459459457
              RT_ICON0xc2b80x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.36560693641618497
              RT_ICON0xc8200x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.4441489361702128
              RT_GROUP_ICON0xcc880x30data0.7708333333333334
              RT_VERSION0xccb80x22cdata0.4766187050359712
              RT_MANIFEST0xcee40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

              Imports

              DLLImport
              mscoree.dll_CorExeMain

              Network Behavior

              Snort IDS Alerts

              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
              07/16/24-06:29:02.846422TCP2852870ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes70004971389.213.177.93192.168.2.5
              07/16/24-06:28:11.623836TCP2855924ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound497137000192.168.2.589.213.177.93
              07/16/24-06:29:02.847787TCP2852923ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)497137000192.168.2.589.213.177.93
              07/16/24-06:28:52.574098TCP2852874ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M270004971389.213.177.93192.168.2.5

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jul 16, 2024 06:28:00.762254953 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:00.767239094 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:00.767319918 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:00.957747936 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:00.962651014 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:04.823220015 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:04.863284111 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:04.899636030 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:04.904557943 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:04.904571056 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:04.904578924 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:04.904584885 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:04.904679060 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:04.904686928 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:04.904695034 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:09.851104975 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:09.894577980 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:09.903798103 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:09.909735918 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:09.909753084 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:09.909768105 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:09.910666943 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:09.910742998 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:09.910770893 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:09.910799026 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:11.623836040 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:11.858720064 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:12.214890003 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:12.216805935 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:12.221697092 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:14.823671103 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:14.874501944 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:14.879651070 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:14.879671097 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:14.879683971 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:14.879694939 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:14.879719019 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:14.879731894 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:14.879743099 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:14.879771948 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:19.823261976 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:19.863286018 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:19.885751009 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:20.087615967 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:20.087773085 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:20.088433981 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:20.088448048 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:20.088692904 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:20.088716030 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:20.088773012 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:20.088926077 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:20.088937998 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:20.088953018 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:22.270174026 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:22.277131081 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:22.570230007 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:22.613323927 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:22.879554987 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:22.881424904 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:22.886528969 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:24.823112011 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:24.859019041 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:24.864132881 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:24.864167929 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:24.864213943 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:24.864242077 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:24.864279985 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:24.864312887 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:24.864325047 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:24.864336967 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:29.813132048 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:29.859651089 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:29.864852905 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:29.864871025 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:29.864881992 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:29.864896059 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:29.865025997 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:29.865039110 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:29.865051031 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:29.865063906 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:32.926234961 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:32.931339979 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:33.284981012 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:33.286942005 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:33.292181969 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:34.817616940 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:34.857759953 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:34.862704992 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:34.862720966 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:34.862730026 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:34.862740040 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:34.862747908 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:34.862798929 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:34.862807989 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:34.862816095 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:39.813745975 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:39.863310099 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:39.865151882 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:39.870038986 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:39.870054960 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:39.870085001 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:39.870105028 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:39.870117903 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:39.870131969 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:39.870219946 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:39.870280027 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:43.582391977 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:43.587373018 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:43.939970970 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:43.942542076 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:43.947407961 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:44.822899103 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:44.855921984 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:44.861016989 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:44.861052990 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:44.861108065 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:44.861136913 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:44.861165047 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:44.861213923 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:44.861242056 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:44.861269951 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:49.819169998 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:49.852134943 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:49.857284069 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:49.857316017 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:49.857366085 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:49.857394934 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:49.857422113 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:49.857568979 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:49.857597113 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:49.857625008 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:52.574098110 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:52.628921986 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:54.238799095 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:54.243896008 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:54.596085072 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:54.597918034 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:54.602771044 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:54.910270929 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:54.957056999 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:55.021872044 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:55.187661886 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:55.187707901 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:55.187753916 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:55.187877893 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:55.188091993 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:55.188131094 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:55.188469887 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:55.188518047 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:59.815427065 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:59.853399038 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:28:59.858422995 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:59.858438969 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:59.858504057 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:59.858571053 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:59.858597040 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:59.858608961 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:59.858680010 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:28:59.858691931 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:29:02.488564968 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:29:02.493561983 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:29:02.846421957 CEST70004971389.213.177.93192.168.2.5
              Jul 16, 2024 06:29:02.847786903 CEST497137000192.168.2.589.213.177.93
              Jul 16, 2024 06:29:02.852855921 CEST70004971389.213.177.93192.168.2.5

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:00:26:54
              Start date:16/07/2024
              Path:C:\Users\user\Desktop\x.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\user\Desktop\x.exe"
              Imagebase:0xa0000
              File size:43'008 bytes
              MD5 hash:EACD19FE747D17C6740B0A8A50DE29AC
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2011714539.00000000000A2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2011714539.00000000000A2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3273623314.0000000002371000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              Reputation:low
              Has exited:false

              General

              Target ID:2
              Start time:00:26:58
              Start date:16/07/2024
              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\x.exe'
              Imagebase:0x7ff7be880000
              File size:452'608 bytes
              MD5 hash:04029E121A0CFA5991749937DD22A1D9
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:3
              Start time:00:26:58
              Start date:16/07/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6d64d0000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:5
              Start time:00:27:06
              Start date:16/07/2024
              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'
              Imagebase:0x7ff7be880000
              File size:452'608 bytes
              MD5 hash:04029E121A0CFA5991749937DD22A1D9
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:6
              Start time:00:27:06
              Start date:16/07/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6d64d0000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:8
              Start time:00:27:18
              Start date:16/07/2024
              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\java Update Checker (64 bit).exe'
              Imagebase:0x7ff7be880000
              File size:452'608 bytes
              MD5 hash:04029E121A0CFA5991749937DD22A1D9
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:9
              Start time:00:27:18
              Start date:16/07/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6d64d0000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:10
              Start time:00:27:34
              Start date:16/07/2024
              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java Update Checker (64 bit).exe'
              Imagebase:0x7ff7be880000
              File size:452'608 bytes
              MD5 hash:04029E121A0CFA5991749937DD22A1D9
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:11
              Start time:00:27:34
              Start date:16/07/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6d64d0000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:25.9%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:0%
                Total number of Nodes:6
                Total number of Limit Nodes:0
                execution_graph 4925 7ff848f12a18 4926 7ff848f12a21 SetWindowsHookExW 4925->4926 4928 7ff848f12af1 4926->4928 4921 7ff848f124cd 4922 7ff848f12530 RtlSetProcessIsCritical 4921->4922 4924 7ff848f125b2 4922->4924

                Executed Functions

                Function 00007FF848F13298 Relevance: 2.2, Strings: 1, Instructions: 971COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 0 7ff848f13298-7ff848f1bf63 2 7ff848f1bfad-7ff848f1bfc0 0->2 3 7ff848f1bf65-7ff848f1bf70 call 7ff848f105e0 0->3 4 7ff848f1bfc2-7ff848f1bfdf 2->4 5 7ff848f1c036 2->5 7 7ff848f1bf75-7ff848f1bfaa 3->7 8 7ff848f1c03b-7ff848f1c050 4->8 10 7ff848f1bfe1-7ff848f1c031 call 7ff848f1a290 4->10 5->8 7->2 14 7ff848f1c06e-7ff848f1c083 8->14 15 7ff848f1c052-7ff848f1c069 call 7ff848f107d0 call 7ff848f105f0 8->15 36 7ff848f1cc2d-7ff848f1cc3b 10->36 22 7ff848f1c0bb-7ff848f1c0d0 14->22 23 7ff848f1c085-7ff848f1c0b6 call 7ff848f107d0 14->23 15->36 33 7ff848f1c0e3-7ff848f1c0f8 22->33 34 7ff848f1c0d2-7ff848f1c0de call 7ff848f19da8 22->34 23->36 41 7ff848f1c0fa-7ff848f1c0fd 33->41 42 7ff848f1c13e-7ff848f1c153 33->42 34->36 41->5 44 7ff848f1c103-7ff848f1c10e 41->44 48 7ff848f1c155-7ff848f1c158 42->48 49 7ff848f1c194-7ff848f1c1a9 42->49 44->5 46 7ff848f1c114-7ff848f1c139 call 7ff848f105c8 call 7ff848f19da8 44->46 46->36 48->5 50 7ff848f1c15e-7ff848f1c169 48->50 56 7ff848f1c1ab-7ff848f1c1ae 49->56 57 7ff848f1c1d6-7ff848f1c1eb 49->57 50->5 52 7ff848f1c16f-7ff848f1c18f call 7ff848f105c8 call 7ff848f132e8 50->52 52->36 56->5 60 7ff848f1c1b4-7ff848f1c1d1 call 7ff848f105c8 call 7ff848f132f0 56->60 66 7ff848f1c1f1-7ff848f1c251 call 7ff848f10550 57->66 67 7ff848f1c2d7-7ff848f1c2ec 57->67 60->36 66->5 106 7ff848f1c257-7ff848f1c286 66->106 74 7ff848f1c30b-7ff848f1c320 67->74 75 7ff848f1c2ee-7ff848f1c2f1 67->75 83 7ff848f1c342-7ff848f1c357 74->83 84 7ff848f1c322-7ff848f1c325 74->84 75->5 77 7ff848f1c2f7-7ff848f1c306 call 7ff848f132c8 75->77 77->36 92 7ff848f1c359-7ff848f1c372 83->92 93 7ff848f1c377-7ff848f1c38c 83->93 84->5 86 7ff848f1c32b-7ff848f1c33d call 7ff848f132c8 84->86 86->36 92->36 97 7ff848f1c3ac-7ff848f1c3c1 93->97 98 7ff848f1c38e-7ff848f1c3a7 93->98 104 7ff848f1c3e1-7ff848f1c3f6 97->104 105 7ff848f1c3c3-7ff848f1c3dc 97->105 98->36 109 7ff848f1c3f8-7ff848f1c3fb 104->109 110 7ff848f1c41f-7ff848f1c434 104->110 105->36 109->5 112 7ff848f1c401-7ff848f1c41a 109->112 116 7ff848f1c43a-7ff848f1c4b2 110->116 117 7ff848f1c4d4-7ff848f1c4e9 110->117 112->36 116->5 141 7ff848f1c4b8-7ff848f1c4cf 116->141 121 7ff848f1c4eb-7ff848f1c4fc 117->121 122 7ff848f1c501-7ff848f1c516 117->122 121->36 127 7ff848f1c51c-7ff848f1c594 122->127 128 7ff848f1c5b6-7ff848f1c5cb 122->128 127->5 159 7ff848f1c59a-7ff848f1c5b1 127->159 134 7ff848f1c5cd-7ff848f1c5de 128->134 135 7ff848f1c5e3-7ff848f1c5f8 128->135 134->36 143 7ff848f1c639-7ff848f1c64e 135->143 144 7ff848f1c5fa-7ff848f1c634 call 7ff848f10af0 call 7ff848f1a290 135->144 141->36 149 7ff848f1c6f5-7ff848f1c70a 143->149 150 7ff848f1c654-7ff848f1c6f0 call 7ff848f10af0 call 7ff848f1a290 143->150 144->36 157 7ff848f1c798-7ff848f1c7ad 149->157 158 7ff848f1c710-7ff848f1c713 149->158 150->36 170 7ff848f1c7af-7ff848f1c7bc call 7ff848f1a290 157->170 171 7ff848f1c7c1-7ff848f1c7d6 157->171 161 7ff848f1c78d-7ff848f1c792 158->161 162 7ff848f1c715-7ff848f1c720 158->162 159->36 175 7ff848f1c793 161->175 162->161 165 7ff848f1c722-7ff848f1c78b call 7ff848f10af0 call 7ff848f1a290 162->165 165->175 170->36 181 7ff848f1c7d8-7ff848f1c812 call 7ff848f10af0 call 7ff848f1a290 171->181 182 7ff848f1c817-7ff848f1c82c 171->182 175->36 181->36 189 7ff848f1c832-7ff848f1c843 182->189 190 7ff848f1c8b7-7ff848f1c8cc 182->190 189->5 198 7ff848f1c849-7ff848f1c859 call 7ff848f105c0 189->198 200 7ff848f1c90c-7ff848f1c921 190->200 201 7ff848f1c8ce-7ff848f1c8d1 190->201 210 7ff848f1c85b-7ff848f1c890 call 7ff848f1a290 198->210 211 7ff848f1c895-7ff848f1c8b2 call 7ff848f105c0 call 7ff848f105c8 call 7ff848f132a0 198->211 212 7ff848f1c923-7ff848f1c962 call 7ff848f19b40 call 7ff848f13000 call 7ff848f132a8 200->212 213 7ff848f1c967-7ff848f1c97c 200->213 201->5 205 7ff848f1c8d7-7ff848f1c907 call 7ff848f105b8 call 7ff848f105c8 call 7ff848f132a0 201->205 205->36 210->36 211->36 212->36 230 7ff848f1c97e-7ff848f1c9e1 call 7ff848f10af0 call 7ff848f1a290 213->230 231 7ff848f1c9e6-7ff848f1c9fb 213->231 230->36 231->36 248 7ff848f1ca01-7ff848f1ca08 231->248 253 7ff848f1ca1b 248->253 254 7ff848f1ca0a-7ff848f1ca14 call 7ff848f19dd8 248->254 262 7ff848f1ca20-7ff848f1ca57 253->262 254->253 262->36
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3291002137.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ff848f10000_x.jbxd
                Similarity
                • API ID:
                • String ID: X_H
                • API String ID: 0-2184086071
                • Opcode ID: f96022bced17411f788d19a38f209c85d2cd3a1946fdd0058600f06a3153d9dd
                • Instruction ID: 42da03155098f4317c0630aab08d9e83705c185ca34846a9e82ae9622b088c8f
                • Opcode Fuzzy Hash: f96022bced17411f788d19a38f209c85d2cd3a1946fdd0058600f06a3153d9dd
                • Instruction Fuzzy Hash: 71627B70A1D95A8FEA98F738845667972D6EFD9390F504678D80EC32C6EF28EC428744
                Function 00007FF848F105B0 Relevance: 1.9, Strings: 1, Instructions: 684COMMON
                Download Yara Rule

                Control-flow Graph

                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3291002137.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ff848f10000_x.jbxd
                Similarity
                • API ID:
                • String ID: CAO_^
                • API String ID: 0-3111533842
                • Opcode ID: 672a8d344ec3532dfbf5666b698d2a5ba467309e7f49221955805d22992febe9
                • Instruction ID: bbd35a8a80caf009eb2ea1dcefcfe452626d156c4a877cdb1e572b85a9463dad
                • Opcode Fuzzy Hash: 672a8d344ec3532dfbf5666b698d2a5ba467309e7f49221955805d22992febe9
                • Instruction Fuzzy Hash: 4122E170A2DA595FEB98FB3884596B976D2FF98750F400579E80EC32C2DF28AC418751
                Function 00007FF848F17B16 Relevance: .5, Instructions: 471COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 681 7ff848f17b16-7ff848f17b23 682 7ff848f17b2e-7ff848f17bf7 681->682 683 7ff848f17b25-7ff848f17b2d 681->683 687 7ff848f17bf9-7ff848f17c02 682->687 688 7ff848f17c63 682->688 683->682 687->688 690 7ff848f17c04-7ff848f17c10 687->690 689 7ff848f17c65-7ff848f17c8a 688->689 697 7ff848f17c8c-7ff848f17c95 689->697 698 7ff848f17cf6 689->698 691 7ff848f17c49-7ff848f17c61 690->691 692 7ff848f17c12-7ff848f17c24 690->692 691->689 693 7ff848f17c28-7ff848f17c3b 692->693 694 7ff848f17c26 692->694 693->693 696 7ff848f17c3d-7ff848f17c45 693->696 694->693 696->691 697->698 700 7ff848f17c97-7ff848f17ca3 697->700 699 7ff848f17cf8-7ff848f17da0 698->699 711 7ff848f17e0e 699->711 712 7ff848f17da2-7ff848f17dac 699->712 701 7ff848f17cdc-7ff848f17cf4 700->701 702 7ff848f17ca5-7ff848f17cb7 700->702 701->699 704 7ff848f17cb9 702->704 705 7ff848f17cbb-7ff848f17cce 702->705 704->705 705->705 707 7ff848f17cd0-7ff848f17cd8 705->707 707->701 713 7ff848f17e10-7ff848f17e39 711->713 712->711 714 7ff848f17dae-7ff848f17dbb 712->714 720 7ff848f17e3b-7ff848f17e46 713->720 721 7ff848f17ea3 713->721 715 7ff848f17dbd-7ff848f17dcf 714->715 716 7ff848f17df4-7ff848f17e0c 714->716 718 7ff848f17dd1 715->718 719 7ff848f17dd3-7ff848f17de6 715->719 716->713 718->719 719->719 722 7ff848f17de8-7ff848f17df0 719->722 720->721 723 7ff848f17e48-7ff848f17e56 720->723 724 7ff848f17ea5-7ff848f17f36 721->724 722->716 725 7ff848f17e58-7ff848f17e6a 723->725 726 7ff848f17e8f-7ff848f17ea1 723->726 732 7ff848f17f3c-7ff848f17f4b 724->732 727 7ff848f17e6c 725->727 728 7ff848f17e6e-7ff848f17e81 725->728 726->724 727->728 728->728 730 7ff848f17e83-7ff848f17e8b 728->730 730->726 733 7ff848f17f4d 732->733 734 7ff848f17f53-7ff848f17fb8 call 7ff848f17fd4 732->734 733->734 741 7ff848f17fba 734->741 742 7ff848f17fbf-7ff848f17fd3 734->742 741->742
                Memory Dump Source
                • Source File: 00000000.00000002.3291002137.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ff848f10000_x.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 059d8164fd01a01a0f7cf3af922e5c7a0097b0aa813090e6f39841c29776c14c
                • Instruction ID: 7aba53363a7573f499dacf888e21716424c9c228bca286dc0c6c74104a9b67f1
                • Opcode Fuzzy Hash: 059d8164fd01a01a0f7cf3af922e5c7a0097b0aa813090e6f39841c29776c14c
                • Instruction Fuzzy Hash: 05F1803090CA8D8FEBA8EF28C8557E977E1FF54350F14426EE84DC7295DB3899458B82
                Function 00007FF848F188C2 Relevance: .5, Instructions: 457COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 743 7ff848f188c2-7ff848f188cf 744 7ff848f188da-7ff848f189a7 743->744 745 7ff848f188d1-7ff848f188d9 743->745 749 7ff848f189a9-7ff848f189b2 744->749 750 7ff848f18a13 744->750 745->744 749->750 751 7ff848f189b4-7ff848f189c0 749->751 752 7ff848f18a15-7ff848f18a3a 750->752 753 7ff848f189f9-7ff848f18a11 751->753 754 7ff848f189c2-7ff848f189d4 751->754 758 7ff848f18a3c-7ff848f18a45 752->758 759 7ff848f18aa6 752->759 753->752 755 7ff848f189d8-7ff848f189eb 754->755 756 7ff848f189d6 754->756 755->755 760 7ff848f189ed-7ff848f189f5 755->760 756->755 758->759 761 7ff848f18a47-7ff848f18a53 758->761 762 7ff848f18aa8-7ff848f18acd 759->762 760->753 763 7ff848f18a8c-7ff848f18aa4 761->763 764 7ff848f18a55-7ff848f18a67 761->764 769 7ff848f18b3b 762->769 770 7ff848f18acf-7ff848f18ad9 762->770 763->762 765 7ff848f18a69 764->765 766 7ff848f18a6b-7ff848f18a7e 764->766 765->766 766->766 768 7ff848f18a80-7ff848f18a88 766->768 768->763 771 7ff848f18b3d-7ff848f18b6b 769->771 770->769 772 7ff848f18adb-7ff848f18ae8 770->772 779 7ff848f18bdb 771->779 780 7ff848f18b6d-7ff848f18b78 771->780 773 7ff848f18aea-7ff848f18afc 772->773 774 7ff848f18b21-7ff848f18b39 772->774 776 7ff848f18afe 773->776 777 7ff848f18b00-7ff848f18b13 773->777 774->771 776->777 777->777 778 7ff848f18b15-7ff848f18b1d 777->778 778->774 782 7ff848f18bdd-7ff848f18cb5 779->782 780->779 781 7ff848f18b7a-7ff848f18b88 780->781 783 7ff848f18b8a-7ff848f18b9c 781->783 784 7ff848f18bc1-7ff848f18bd9 781->784 792 7ff848f18cbb-7ff848f18cca 782->792 786 7ff848f18b9e 783->786 787 7ff848f18ba0-7ff848f18bb3 783->787 784->782 786->787 787->787 789 7ff848f18bb5-7ff848f18bbd 787->789 789->784 793 7ff848f18ccc 792->793 794 7ff848f18cd2-7ff848f18d34 call 7ff848f18d50 792->794 793->794 801 7ff848f18d3b-7ff848f18d4f 794->801 802 7ff848f18d36 794->802 802->801
                Memory Dump Source
                • Source File: 00000000.00000002.3291002137.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ff848f10000_x.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b95dd26c7130d1e378948ad6181b89c1fb9e111f8382cd3f1de09a88170ed49e
                • Instruction ID: e187276bcac10739d093e36e23b0ef9d0ccb47694829e5dfed1874e4f125be64
                • Opcode Fuzzy Hash: b95dd26c7130d1e378948ad6181b89c1fb9e111f8382cd3f1de09a88170ed49e
                • Instruction Fuzzy Hash: CAE1B130A1CA8D8FEBA8EF28C8557E977E1EF54350F44426ED84DC7291CF78A9418B81
                Function 00007FF848F1CF6C Relevance: .4, Instructions: 365COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3291002137.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ff848f10000_x.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f9308176efc9fa694ac61651cccb97db963e070a62ece45ac2c4f5740bf6cc50
                • Instruction ID: 17200f2b4842dc19eb0db7385d7e544d9df22ccda4780336eca7518cd88a4654
                • Opcode Fuzzy Hash: f9308176efc9fa694ac61651cccb97db963e070a62ece45ac2c4f5740bf6cc50
                • Instruction Fuzzy Hash: 97C1F53094E7C45FD747A7389858AE57FA0EF83325F0841FAE089CB0A3DBA95816C752
                Function 00007FF848F124CD Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 465 7ff848f124cd-7ff848f125b0 RtlSetProcessIsCritical 468 7ff848f125b8-7ff848f125ed 465->468 469 7ff848f125b2 465->469 469->468
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3291002137.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ff848f10000_x.jbxd
                Similarity
                • API ID: CriticalProcess
                • String ID:
                • API String ID: 2695349919-0
                • Opcode ID: 7b487962a808600f3f9efdee553e3b393f111933d1e58e70bd82b07b5cfd3504
                • Instruction ID: 336334b2d8a92bee9f0f4755ae1669bd682ade437b800289890a3ecbf3cb6bb9
                • Opcode Fuzzy Hash: 7b487962a808600f3f9efdee553e3b393f111933d1e58e70bd82b07b5cfd3504
                • Instruction Fuzzy Hash: 9941C37180C6588FD719DFA8D849AE9BBF0FF56311F04416EE08AC3692CB686846CB91
                Function 00007FF848F12A18 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 471 7ff848f12a18-7ff848f12a1f 472 7ff848f12a2a-7ff848f12a9d 471->472 473 7ff848f12a21-7ff848f12a29 471->473 477 7ff848f12b29-7ff848f12b2d 472->477 478 7ff848f12aa3-7ff848f12ab0 472->478 473->472 479 7ff848f12ab2-7ff848f12aef SetWindowsHookExW 477->479 478->479 481 7ff848f12af1 479->481 482 7ff848f12af7-7ff848f12b28 479->482 481->482
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3291002137.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ff848f10000_x.jbxd
                Similarity
                • API ID: HookWindows
                • String ID:
                • API String ID: 2559412058-0
                • Opcode ID: 2cff2d3f6ba9cc5c3d7d296172d6601fa680b7cbe1b8f01fd7bb6f45bfb36ecd
                • Instruction ID: 844dc53316213c69c6946b3cd042faf15b3280fd8aefdafc577790c2bb2d5812
                • Opcode Fuzzy Hash: 2cff2d3f6ba9cc5c3d7d296172d6601fa680b7cbe1b8f01fd7bb6f45bfb36ecd
                • Instruction Fuzzy Hash: 8941083091CA5D5FDB58EBAC98466F9BBE1EB59321F00027ED049C3292CF74A852CBC5

                Executed Functions

                Function 00007FF848FE3A13 Relevance: 3.8, Strings: 2, Instructions: 1330COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.2136202466.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ff848fe0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: h:&I$L_H
                • API String ID: 0-2763241288
                • Opcode ID: d5376ed0814272146d97c1a06e79c41202c63302c45a1e869aa3bd316d865c54
                • Instruction ID: e8a8983ac002db5d3c6a6bc325b7635afcb616d9f18715f2f86b7fcbd4e2f6ba
                • Opcode Fuzzy Hash: d5376ed0814272146d97c1a06e79c41202c63302c45a1e869aa3bd316d865c54
                • Instruction Fuzzy Hash: 18823531E0DA8A4FE3A6AB2C58591B57BE1EF96660F0901FFC04DC71D3DA1CAC068356
                Function 00007FF848FE6605 Relevance: .4, Instructions: 436COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.2136202466.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ff848fe0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a425d0846e06db79f13dc4df799e3595f30bb178f9ce8efb589de474796f17bd
                • Instruction ID: b2cc1713065adfd4cce559df6d18fee0bc544833ac9db43cf0b28019bfd7d9a8
                • Opcode Fuzzy Hash: a425d0846e06db79f13dc4df799e3595f30bb178f9ce8efb589de474796f17bd
                • Instruction Fuzzy Hash: 9ED11131D1EA8E9FE795AB2858595B5BBE0EF16354F1800BAD04DCB0D3EB1CAC05C355
                Function 00007FF848F19EF3 Relevance: .3, Instructions: 278COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.2135673667.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0abef4f14d79544cc5bdb81dbd3368c5fb9f7300ee765643c6dfed4275a414a5
                • Instruction ID: 11b617f6997c9830e447da853ad583f72d095639d0f3c7633c9ea3537e03b9e3
                • Opcode Fuzzy Hash: 0abef4f14d79544cc5bdb81dbd3368c5fb9f7300ee765643c6dfed4275a414a5
                • Instruction Fuzzy Hash: 98814C37D1DA915FE346BB3CAC660E53B60FF11BE9F0801B6D0888A0D3EE185C168799
                Function 00007FF848F19768 Relevance: .1, Instructions: 126COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.2135673667.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dde3c696c4da03a19aa8530837e4d53ab8b25cfc9d377d6b2d8420eb48d3156c
                • Instruction ID: aec3d1df2f354f0e0eb5b1bf7d7ba7d54eaadf3db52f4ea00897ddd63b7342ae
                • Opcode Fuzzy Hash: dde3c696c4da03a19aa8530837e4d53ab8b25cfc9d377d6b2d8420eb48d3156c
                • Instruction Fuzzy Hash: 68310B3191CB489FDB1C9F5CA8066F97BE0FB99711F00422FE449D3651CB30A8568BC2
                Function 00007FF848DFE380 Relevance: .1, Instructions: 126COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.2135190688.00007FF848DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DFD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ff848dfd000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5429ee4f4b971bdc36ecae412efcfd2032b2a0c1a9e3ab02729852c77ba37cfc
                • Instruction ID: 11754eaeefdd08d9cbc4602eb387b5693cc2820065dc819c7828e3ccc7946074
                • Opcode Fuzzy Hash: 5429ee4f4b971bdc36ecae412efcfd2032b2a0c1a9e3ab02729852c77ba37cfc
                • Instruction Fuzzy Hash: DC41237180EBC44FE7569B289849A523FF0EF52365F1502EFD088CF1A3D725A84AC792
                Function 00007FF848F1A47C Relevance: .1, Instructions: 100COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.2135673667.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e7afbd2af1c19c2a24e8c868501a36b7f3458f52bc4169c91c611edb4e11e357
                • Instruction ID: 8f9a3b65c0ab801939cb93633597e61c5200018a22d63db4bf317b0f12880abb
                • Opcode Fuzzy Hash: e7afbd2af1c19c2a24e8c868501a36b7f3458f52bc4169c91c611edb4e11e357
                • Instruction Fuzzy Hash: 3721283190C74C8FDB59DFAC984A7E97BF0EB5A320F04426BD049C7192DA74A856CB91
                Function 00007FF848FE40BF Relevance: .1, Instructions: 96COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.2136202466.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ff848fe0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ebaf4ad8b3ea7934537f911c0eab83c01663bbbd1c52d5bdb96b2732cb13492b
                • Instruction ID: f64a99700e6eb72c254b1163c982ad3f0302dddaced5640ef71e16de1e732c05
                • Opcode Fuzzy Hash: ebaf4ad8b3ea7934537f911c0eab83c01663bbbd1c52d5bdb96b2732cb13492b
                • Instruction Fuzzy Hash: 8A218E32E0DE464FEBAAEB18945117466D1FF64294F5901BEC15EC71E2CF1CDC05834A
                Function 00007FF848F133B5 Relevance: .0, Instructions: 49COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.2135673667.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                • Instruction ID: 191617ceee889ec1b776a361fbb2d1250ce1ead809f4672e64413ffe75dfec08
                • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                • Instruction Fuzzy Hash: 7201677111CB0C4FDB44EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45
                Function 00007FF848FE4404 Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.2136202466.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ff848fe0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: de6b18903a5bc633f747598b101c7e8e2f1faa15ee1cd5a0be636acb102d8d89
                • Instruction ID: 8747240965d1b0c7252e69b8f3c73682c675b22916eb1583e6ce9c28205346dc
                • Opcode Fuzzy Hash: de6b18903a5bc633f747598b101c7e8e2f1faa15ee1cd5a0be636acb102d8d89
                • Instruction Fuzzy Hash: E1F03031A0C4058FD758EB0CE4459F8B3E0EF48361F4500B6E15EC7593DB26AC518795

                Non-executed Functions

                Function 00007FF848F18BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.2135673667.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: N_^4$N_^7$N_^F$N_^J
                • API String ID: 0-3508309026
                • Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                • Instruction ID: f6facd9be01d464781fe06f2e9dfce22635aafd9ed82b64586b0b92a0b284f4c
                • Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                • Instruction Fuzzy Hash: 8E213B7761A0259ED3417BBDBC145DA3750EF942B8B4502B2D298CF143EA1C708686D5

                Executed Functions

                Function 00007FF848FD6605 Relevance: 6.6, Strings: 5, Instructions: 389COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000005.00000002.2245267182.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ff848fd0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: (B"I$(B"I$(B"I$(B"I$(B"I
                • API String ID: 0-3570690463
                • Opcode ID: 6b25cb08baf11a86109e61314223e63fc02d14d0e31799f68cef04faa0b2b4de
                • Instruction ID: 9febca3dd3e3c0ff13f22b18d97e64fec9e6a9c7c77ea3d5b6ec74377c46a57e
                • Opcode Fuzzy Hash: 6b25cb08baf11a86109e61314223e63fc02d14d0e31799f68cef04faa0b2b4de
                • Instruction Fuzzy Hash: 2BC15231E0EA8A5FEB95EB2858151B5BBE0FF16354F1801BAD14ECB0D3EF1CA8058795
                Function 00007FF848FD664C Relevance: 6.6, Strings: 5, Instructions: 351COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000005.00000002.2245267182.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ff848fd0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: (B"I$(B"I$(B"I$(B"I$(B"I
                • API String ID: 0-3570690463
                • Opcode ID: 48dfab5417c6385f7eb91f05aa53654fc9acb2a148a0ea833cd9ac9c0da522f6
                • Instruction ID: 9be4af8efb438a1a98307864f9ce1c43264957e6f5f89d9522700b7669feded7
                • Opcode Fuzzy Hash: 48dfab5417c6385f7eb91f05aa53654fc9acb2a148a0ea833cd9ac9c0da522f6
                • Instruction Fuzzy Hash: 97B14031D1EA8A5FE794EB2858185B5BBE0FF15394F1801BAD50ECB0D3EB2CA8058795
                Function 00007FF848FD3CD2 Relevance: 1.8, Strings: 1, Instructions: 591COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000005.00000002.2245267182.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ff848fd0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 8>"I
                • API String ID: 0-2459728092
                • Opcode ID: efd38b11ac3c2adeb05466fbc4747ae336a36c3c430390bf40273a5d3299b1a1
                • Instruction ID: bd466f9f659a57d307fbc0534824bd681a2a15fa87c1ee744f3997147091a3bb
                • Opcode Fuzzy Hash: efd38b11ac3c2adeb05466fbc4747ae336a36c3c430390bf40273a5d3299b1a1
                • Instruction Fuzzy Hash: DE024B32E0DA8A4FE799AB2C58551747BE1EF95750F0801FAC24EC71D3EF199C068746
                Function 00007FF848FD40BF Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000005.00000002.2245267182.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ff848fd0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 8>"I
                • API String ID: 0-2459728092
                • Opcode ID: e8a2af1bc8c86d6d1cd7ea6c6278132c5096e2b2719969c7cc26b4b4a0200b49
                • Instruction ID: 2d9866bf4f223dc544399aa0ecfb2f481f4388e9819149e43839ec6df5b33e0f
                • Opcode Fuzzy Hash: e8a2af1bc8c86d6d1cd7ea6c6278132c5096e2b2719969c7cc26b4b4a0200b49
                • Instruction Fuzzy Hash: 54219E32E0E9874FE7AAEB28545517466D1FF74290F5911B9C25FC71E2CF18EC048B4A
                Function 00007FF848F09780 Relevance: .1, Instructions: 128COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.2244290401.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ff848f00000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dbb9fda4cdb183acffacbe06698606b0bf7cfcb4a1bbbc2d00cadde4668dab0e
                • Instruction ID: b83706e96af62550394d6d51d762a88bc090689212d7177ff2d0cd8618c6b736
                • Opcode Fuzzy Hash: dbb9fda4cdb183acffacbe06698606b0bf7cfcb4a1bbbc2d00cadde4668dab0e
                • Instruction Fuzzy Hash: EB31077191CB888FDB189B1C98066B97BF0FB99710F00426FE449C3692DB70A856CBC2
                Function 00007FF848F0A49C Relevance: .1, Instructions: 96COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.2244290401.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ff848f00000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dce43119c55d5446f4cbd728012479a5a3df003cac91785d6ec4ea9e29f48b47
                • Instruction ID: 40fa68b2642d1727357d42f8c7b3366d7e0263eddbccbba712bf75c658006f43
                • Opcode Fuzzy Hash: dce43119c55d5446f4cbd728012479a5a3df003cac91785d6ec4ea9e29f48b47
                • Instruction Fuzzy Hash: E7212B7180C7888FEB09DBA89C4A6F97FF4EF53321F04415AD445DB263DA786846CB61
                Function 00007FF848DEE5DC Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.2243292499.00007FF848DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DED000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ff848ded000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 21995c548f1d9e42e9743df6ed7a8b64864e6b4a129027d2402b03cf4c9e532e
                • Instruction ID: 5fe4b619c31a74c78729e054d993592beb6a86a87affe715f2935f71ece3661b
                • Opcode Fuzzy Hash: 21995c548f1d9e42e9743df6ed7a8b64864e6b4a129027d2402b03cf4c9e532e
                • Instruction Fuzzy Hash: 77017C3150CE088FDBA8EF1DE48595237E0FB98320B10069BD459C755AE735F886CBC1
                Function 00007FF848F033B5 Relevance: .0, Instructions: 49COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.2244290401.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ff848f00000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9895435140380c782189f81496fffaa590a70fd196a779c416207eeb9efb34d6
                • Instruction ID: 7751a646eaf869edea33559e4a2383cdbafb38eb3a9baaa8760fd3dac5d19060
                • Opcode Fuzzy Hash: 9895435140380c782189f81496fffaa590a70fd196a779c416207eeb9efb34d6
                • Instruction Fuzzy Hash: DE01677111CB0C4FD744EF0CE451AA5B7E0FB95364F50056EE58AC3695DB36E882CB45
                Function 00007FF848F0A0FB Relevance: .0, Instructions: 38COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.2244290401.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ff848f00000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 39845ca1bb1d90fe467b5f66172c6f655081aaf2ab112ba971b9cf89625753a1
                • Instruction ID: f2c913d7e464c5fb33117fda488b971395ea3608bb247b3a3f813cf779ee1cfe
                • Opcode Fuzzy Hash: 39845ca1bb1d90fe467b5f66172c6f655081aaf2ab112ba971b9cf89625753a1
                • Instruction Fuzzy Hash: E6F0593AA0CA8C4FCB81EF3C98681D47FE0FFA6211B0500BBD508C7161EB608848CBC1
                Function 00007FF848FD43FA Relevance: .0, Instructions: 37COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.2245267182.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ff848fd0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9688a513bba34d0d6796eeaa4fbf2971401703dda120b550bbdf1730f1ce1553
                • Instruction ID: 1ac74bfea5c94f2c79739ea4f97bebdacf17d076805861e8386c2ef8f220b082
                • Opcode Fuzzy Hash: 9688a513bba34d0d6796eeaa4fbf2971401703dda120b550bbdf1730f1ce1553
                • Instruction Fuzzy Hash: 46F09A31A0C5458FDB94EB5CA4448A8B7E0FF16360F4500B6E19EC70A3DB29ACA08B64

                Non-executed Functions

                Function 00007FF848F08BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000005.00000002.2244290401.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ff848f00000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: O_^8$O_^<$O_^?$O_^J$O_^K$O_^N$O_^Q$O_^Y
                • API String ID: 0-3814653101
                • Opcode ID: 767dc838b8e3e9580db012fdc19fa58d9d18fd9b3128ba9e1fe4c8e4c2756401
                • Instruction ID: a0f1b50350d84767e6235a92e2b28b9e38e345a374a4ee0607b987e7a50cf300
                • Opcode Fuzzy Hash: 767dc838b8e3e9580db012fdc19fa58d9d18fd9b3128ba9e1fe4c8e4c2756401
                • Instruction Fuzzy Hash: B4213473A2A5119AC202377CBC415D93790EF843BA74902F3E01DCF303DE1CA48B8694

                Executed Functions

                Function 00007FF849016605 Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.2409305286.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_8_2_7ff849010000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: (B&I$(B&I$(B&I$(B&I$(B&I
                • API String ID: 0-1750599480
                • Opcode ID: b2d31b3ed198468827f3a02509d1b44fb1d0dc4f52870a1f50c73c6e8199b8bd
                • Instruction ID: 528e1ec5a7e99454f972589332bb9d2f88725588042bd82776fc8126b5d4110a
                • Opcode Fuzzy Hash: b2d31b3ed198468827f3a02509d1b44fb1d0dc4f52870a1f50c73c6e8199b8bd
                • Instruction Fuzzy Hash: C4D11232D0EACA9FEBA5AF2858165B57BE0EF16754F0801BBD44CC7093EA1AEC45C351
                Function 00007FF849014073 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.2409305286.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_8_2_7ff849010000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 8>&I
                • API String ID: 0-4142972376
                • Opcode ID: 2545c4d7685ceb9d8aa53a4b91a67b04d427fdc521e4b2020a505d478b03a39a
                • Instruction ID: 97c453a5d2ed95c1a9f78e84017b6610addaa13f08bcb848a55de65e04eed5b6
                • Opcode Fuzzy Hash: 2545c4d7685ceb9d8aa53a4b91a67b04d427fdc521e4b2020a505d478b03a39a
                • Instruction Fuzzy Hash: 40511B32E0DA868FEBB9EE2C541267577E1EF55360F5801BAC04DC71A3EE25EC058351
                Function 00007FF8490140BF Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.2409305286.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_8_2_7ff849010000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 8>&I
                • API String ID: 0-4142972376
                • Opcode ID: 330635f5c7e5b357ad42b912f1ce0847a8a1e04be4868ddc6fadfa10233c8e61
                • Instruction ID: 25254154ee55d1f2b5bde606124755b31984739b7575484ba2d4cd0a7d004234
                • Opcode Fuzzy Hash: 330635f5c7e5b357ad42b912f1ce0847a8a1e04be4868ddc6fadfa10233c8e61
                • Instruction Fuzzy Hash: F621D232E0D9C78FEBB9EF2C546217476D5EF64290B5905B9C05EC71B2EE29DC058341
                Function 00007FF848F49EF3 Relevance: .2, Instructions: 250COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.2408411552.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_8_2_7ff848f40000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5f0c9dc0627afe7eeb2602584b8b4fd9e1e2a44956915e7699c8ec41e90c90b2
                • Instruction ID: ac9e526967559f35bd81e70842321b8f60bf11ce0891a511c0457d223ee6e6ca
                • Opcode Fuzzy Hash: 5f0c9dc0627afe7eeb2602584b8b4fd9e1e2a44956915e7699c8ec41e90c90b2
                • Instruction Fuzzy Hash: 8C810B77D0E9964FE741EB2CA8A60E57760FF2176DF0802BBC4888E0D3EE1918568659
                Function 00007FF848E2EF00 Relevance: .1, Instructions: 128COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.2407346117.00007FF848E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E2D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_8_2_7ff848e2d000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e734ecf5427c9d2e760a56fbfb2d8287377a70d43c71044c3712ec508f5ebada
                • Instruction ID: 137ebbcff64c57768eb05b58b5e62234859990d3463e7f5fc25560e0af83f7b4
                • Opcode Fuzzy Hash: e734ecf5427c9d2e760a56fbfb2d8287377a70d43c71044c3712ec508f5ebada
                • Instruction Fuzzy Hash: 9441137180DBC44FE7569B2898559623FF0FF57360F1901DFD088CB1A3DA29A84AC7A2
                Function 00007FF848F49768 Relevance: .1, Instructions: 125COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.2408411552.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_8_2_7ff848f40000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 34291d4ea91947cbf59c83f26815210f97610eface96a41072f0297ba28d843a
                • Instruction ID: 16666003329eb7ff78c453b4efbaf5ff4fc16c7bea26a54ac54ef06b9138366a
                • Opcode Fuzzy Hash: 34291d4ea91947cbf59c83f26815210f97610eface96a41072f0297ba28d843a
                • Instruction Fuzzy Hash: 1D310C31A1CB485FDB18DF1CA80A6E97BE0FBA9710F10422FE449D3651DB31A8568BC2
                Function 00007FF848F4A47C Relevance: .1, Instructions: 101COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.2408411552.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_8_2_7ff848f40000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5d781b62f3772ad293b57bf61e08a1651963e95d039b63987d259f1c5af846f6
                • Instruction ID: f74031d3b50946de637b3731eab3b8b9fbd37afb166f0b4e43f80a5872639c99
                • Opcode Fuzzy Hash: 5d781b62f3772ad293b57bf61e08a1651963e95d039b63987d259f1c5af846f6
                • Instruction Fuzzy Hash: C0213A3190C74C4FEB59DB6C984A7E97FF0EBA6320F04416FD048C31A2DA74945ACB91
                Function 00007FF848F433B5 Relevance: .0, Instructions: 49COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.2408411552.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_8_2_7ff848f40000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                • Instruction ID: 8501ce2366aa47fe50c32cae5305b62a305da60d827aaf0f190e9b8a75457062
                • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                • Instruction Fuzzy Hash: 8B01447111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695DB26E882CB45
                Function 00007FF8490143FA Relevance: .0, Instructions: 37COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000008.00000002.2409305286.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_8_2_7ff849010000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 353ac20097b6f589914e4e6c34808a1369e6e40bb4fe1911e7ce96953db23c2f
                • Instruction ID: bb50d7f3506dc65e537612623d1a409f9fecc91189a9756c986bd02ba1ffb60e
                • Opcode Fuzzy Hash: 353ac20097b6f589914e4e6c34808a1369e6e40bb4fe1911e7ce96953db23c2f
                • Instruction Fuzzy Hash: E7F09A31A0C5858FEB64EF5CA4458A8B7E0FF05360B4500B6E15DC70A3EB2AEC50C764

                Non-executed Functions

                Function 00007FF848F48BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.2408411552.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_8_2_7ff848f40000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: K_^4$K_^7$K_^F$K_^J
                • API String ID: 0-377281160
                • Opcode ID: 0b14963b038c90133ccca6c25b38e773d62fc6c61595093c97f0e1427e53f416
                • Instruction ID: bead706383397ff6f8c4a37cb53810d507c8abccd64b99c06fffeb200d3c1acc
                • Opcode Fuzzy Hash: 0b14963b038c90133ccca6c25b38e773d62fc6c61595093c97f0e1427e53f416
                • Instruction Fuzzy Hash: 11213B7761A525AED7417B7CB8045DA3BA0DF982B8B4503B3D198CF053EA1C708786D4

                Executed Functions

                Function 00007FF848FF6605 Relevance: 6.7, Strings: 5, Instructions: 429COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000A.00000002.2619527174.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7ff848ff0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: (B#I$(B#I$(B#I$(B#I$(B#I
                • API String ID: 0-1620291718
                • Opcode ID: 23e261d5cd5f6a7fabc9a02a8f3fdef19c5ed1b910c0b626c65bce56a9aed938
                • Instruction ID: 83497c19a37a296d381a927b249132f6b7badfe3e4b42c92ea210f26fefb8bb6
                • Opcode Fuzzy Hash: 23e261d5cd5f6a7fabc9a02a8f3fdef19c5ed1b910c0b626c65bce56a9aed938
                • Instruction Fuzzy Hash: FBD13031D1EA8A5FE795AB2898196B5BBA0EF1A350F1801FFD50DCB0D3EE1CA805C355
                Function 00007FF848FF4073 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000A.00000002.2619527174.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7ff848ff0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 8>#I
                • API String ID: 0-2340899229
                • Opcode ID: 50dad1b102894cbb356e3c0755a82e789ea3ffd7fea6f0589695c988f1e2759b
                • Instruction ID: e4935142baab0cf635ef0979290b28e3598da2827f1bfc1665cc8755a308708b
                • Opcode Fuzzy Hash: 50dad1b102894cbb356e3c0755a82e789ea3ffd7fea6f0589695c988f1e2759b
                • Instruction Fuzzy Hash: 1451E332E0DA4A4FE79AEB2C541167577E1FFA5260F5801BBD20EC72D3DF18E8058259
                Function 00007FF848FF40BF Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000A.00000002.2619527174.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7ff848ff0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 8>#I
                • API String ID: 0-2340899229
                • Opcode ID: 76103e40c8ab5977d615e1ab90a0ba3453d946ad8deb8a64f9653af53b2797ce
                • Instruction ID: a320cbf1e6735dd3719a6f9b33ffb346557086179690c0c52829868612fe0f51
                • Opcode Fuzzy Hash: 76103e40c8ab5977d615e1ab90a0ba3453d946ad8deb8a64f9653af53b2797ce
                • Instruction Fuzzy Hash: B521CE32E0EA874FE7AAEB2C545017466D1FF742A0F5901BBD21EC72E2CF18EC048649
                Function 00007FF848F29780 Relevance: .1, Instructions: 129COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000A.00000002.2618193880.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7ff848f20000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9872c810583e5bcc892a43dccdfe08a5b8a853da3a0422cbe03fdb84a2f891d4
                • Instruction ID: 519f3687db648b76b856ae5cbe7d921de0f0c1c585903aeccb132e8f673d3fde
                • Opcode Fuzzy Hash: 9872c810583e5bcc892a43dccdfe08a5b8a853da3a0422cbe03fdb84a2f891d4
                • Instruction Fuzzy Hash: 3531073191CB888FDB19DB5CAC066A97BE0FB99711F00426FE049D3692CA75A855CBC2
                Function 00007FF848E0ED40 Relevance: .1, Instructions: 125COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000A.00000002.2616523318.00007FF848E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E0D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7ff848e0d000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 96ecb827ca33ee5f0dd68a160cf78cb8134085b2fce38f3adaf74d790036c766
                • Instruction ID: 1f145e511ea2493b5a038853aebee38b98a7be0b9e04f014c22f896cb8b79dfa
                • Opcode Fuzzy Hash: 96ecb827ca33ee5f0dd68a160cf78cb8134085b2fce38f3adaf74d790036c766
                • Instruction Fuzzy Hash: 2741E33080DBC44FE7569B3898419523FF0FF57260B1506EFD088CB1A3D629A846C792
                Function 00007FF848F2A49C Relevance: .1, Instructions: 92COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000A.00000002.2618193880.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7ff848f20000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d3b503872c9ee1792d3585bae5bacb6b4fa1f0a92bf416d7fad0ad8864a479e8
                • Instruction ID: ced9b7c1a1b04645daecc020f3ff95022978656d5c42b989bc68166d5be0f51c
                • Opcode Fuzzy Hash: d3b503872c9ee1792d3585bae5bacb6b4fa1f0a92bf416d7fad0ad8864a479e8
                • Instruction Fuzzy Hash: 4F21277080C7888FE7099B689C4A6F97FA4EF52320F04419BD445DB1A3DA79A846CB61
                Function 00007FF848F233B5 Relevance: .0, Instructions: 49COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000A.00000002.2618193880.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7ff848f20000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
                • Instruction ID: b81149d342438cc37704c2a90a5bc61e4b8c38b5d9d18ebcc6d248958a2491c8
                • Opcode Fuzzy Hash: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
                • Instruction Fuzzy Hash: 6A01677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC36A5DB36E892CB46
                Function 00007FF848F2A0FB Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000A.00000002.2618193880.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7ff848f20000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b04c2698b73781862ffcfadb0020094724ff47d402d4ac295919dd39e3c737a1
                • Instruction ID: c6c16936e490efe25eecf06de6b4f23a96065ebdd4b270ba7e81a0e70785ea81
                • Opcode Fuzzy Hash: b04c2698b73781862ffcfadb0020094724ff47d402d4ac295919dd39e3c737a1
                • Instruction Fuzzy Hash: CFF0F63650DACC4FDB82EF2CA8690E8BF90FF66215B0402EBD448C7161EB224948CB81
                Function 00007FF848FF43FA Relevance: .0, Instructions: 37COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000A.00000002.2619527174.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7ff848ff0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8420699248bc57d67e197454f1966028d2ec4513137532cf268e95752a1a40b7
                • Instruction ID: d12716fbd96981dca435260a40d5d99fcb0876254634c2c112dd5278a36ce8c9
                • Opcode Fuzzy Hash: 8420699248bc57d67e197454f1966028d2ec4513137532cf268e95752a1a40b7
                • Instruction Fuzzy Hash: 19F09A31A0D5458FDB54EB1CA4448B8B7E0FF15360F5900B7E159D71A3DB2AAC608764

                Non-executed Functions

                Function 00007FF848F28BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000A.00000002.2618193880.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7ff848f20000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                • API String ID: 0-962139525
                • Opcode ID: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
                • Instruction ID: 7fd3566e5afb083c6e6401c0847751e720ad71e5f9896b647dd2248b4652e339
                • Opcode Fuzzy Hash: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
                • Instruction Fuzzy Hash: FD21D473A29525DAD242366CB8419DD7790EF543B978603F3E028CF193EE1CA48B8A95